PayPal has been hit with a $2 million fine by New York’s financial regulator, the Department of Financial Services (DFS). This is due to cybersecurity issues that led to a data breach in December 2022.
This breach put the personal information of many customers at risk, including their social security numbers, email addresses, and names. The DFS investigation found major problems with PayPal’s cybersecurity methods. The company didn’t hire qualified people for important cybersecurity roles and didn’t give enough training to help reduce cybersecurity risks. These issues were directly tied to the security breach.
It’s true that it’s not generally the company’s fault whenever it’s hacked. However, if the company does not make sure it’s keeping itself safe, then it puts its users at risk. A security breach took advantage of a weakness that was introduced when changes were made to improve customer access to IRS Form 1099-Ks. The teams making these changes didn’t have enough training on PayPal’s systems and how to develop applications, which led to mistakes.
As a result, hackers used a method called credential stuffing, where they tried many login details until they found one that worked to get access. Once they had the stolen login information, they could access forms that contained private customer information.
The DFS found that PayPal’s security wasn’t strong enough, allowing the credential-stuffing attack. The investigation also revealed that PayPal didn’t have written rules for managing access, handling identities, or protecting customer data. Additionally, PayPal didn’t have effective measures to stop unauthorized access, like multi-factor authentication, CAPTCHA, or limits on how many times someone could try to log in.
The $2 million fine isn’t much for such a big company, but the more effective penalty is the public seeing how unsafe PayPal was being. It shows how serious the company’s cybersecurity problems were. PayPal has apparently fixed the issues that were found and improved its cybersecurity practices. These changes are intended to stop similar problems from happening again.
