
PayPal has agreed to pay a $2 million settlement to New York State following a significant data breach in December 2022 that compromised 35,000 customer accounts. The New York Department of Financial Services (DFS) found that PayPal violated state cybersecurity regulations, leading to unauthorized access of sensitive customer information.
The breach occurred when cybercriminals exploited security vulnerabilities through credential stuffing attacks, accessing personal data including names, birth dates, addresses, and social security numbers. A critical security lapse involved the mishandling of IRS Form 1099-K distribution, where implementation teams lacked proper training on PayPal’s systems and development processes.
Key Security Failures Identified:
– Absence of mandatory multi-factor authentication
– Weak access controls without CAPTCHA
– No rate limiting for login attempts
– Inadequate staff training
– Poor cybersecurity policy implementation
In response, PayPal has implemented several security improvements:
– Mandatory MFA for U.S. accounts
– Enhanced CAPTCHA systems
– Rate limiting controls
– Masked sensitive data on IRS forms
The settlement requires PayPal to pay the fine within 10 days, with the possibility of further action if new violations are discovered. This incident highlights the importance of robust cybersecurity measures in financial services and the consequences of regulatory non-compliance.