PayPal Pays A Price For Exposing Customer Data

Uploaded on 2025-01-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cyber security flaws that led to the exposure of customers’ Social Security numbers.

This left names, dates of birth and Social Security numbers belonging to customers of the leading  digital payments company exposed and easily accessible to cyber criminals for a perood of seven weeks. 

The issue stemmed from PayPal’s failure to implement adequate cyber security controls, which allowed cybercriminals to access sensitive personal information.

According to DFS, PayPal’s negligence in managing its cyber security infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks.

The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cyber security team noticed an unusual uptick in access attempts, which led them to determine that cyber criminals were using “credential stuffing” attacks to gain unauthorised access to personal details.

The investigation found that PayPal had not used qualified staff for key cyber security functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.

In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all US accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cyber security practices in safeguarding user data.

Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasised that PayPal’s actions violated the state’s cyber security regulations.

While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cyber security measures s in digital finance.

Reuters   |    I-HIS    |   Straight Arrow News     |    USA Today  |   Cyber News Group     |     Yahoo

Image: @PayPal

You Might Also Read: 

Fake PayPal Emails Cost £8million In Theft:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Does DeepSeek Compare With Other Chatbot AI Tools?
The British Government Faces Severe Cyber Threats »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ABB

ABB

ABB is a pioneering technology leader in industrial digitalization. Services include cyber security for industrial control systems IoT.

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

Centurion Information Security

Centurion Information Security

Centurion Information Security is a consulting firm based in Singapore that specialises in penetration testing and security assessment services.

Payatu

Payatu

Payatu Technologies is a security testing and services company specialized in Software, Application and Infrastructure security assessments and deep technical security training.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

Dreamlab Technologies

Dreamlab Technologies

Over the last 20 years, Dreamlab Technologies has established itself as a source of constant innovation within the information security landscape.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Dice

Dice

Dice is a leading recruitment platform, helping technology professionals manage their careers and employers connect with highly skilled tech talent in specialist areas including cybersecurity.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

Bolt Learning

Bolt Learning

Bolt's Cyber Security eLearning module provides users with an in-depth understanding of cybercrime, how it can occur and what everyone can contribute to preventing it.

Adit Ventures

Adit Ventures

Adit Ventures is a venture capital firm with a focus on dynamic growth sectors including AI & Machine Learning, Big Data, Cybersecurity and IoT.

Buchbinder Information Technology Solutions

Buchbinder Information Technology Solutions

Buchbinder Tunick & Company is a premier CPA and advisory firm offering a broad range of assurance, tax, business consulting and IT consulting services.

Ampcus Cyber

Ampcus Cyber

Ampcus Cyber specialize in providing comprehensive security solutions and services that are tailored to safeguard our clients' networks, infrastructure, and valuable assets.

XeneX

XeneX

XeneX Cloud Security Services address enterprise-class security challenges by enabling DevOps and Security teams to access a shared source of truth.

Claratti

Claratti

Clarrati are a team of innovators. Industry leaders in the cloud computing, remote working, and work-from-home space. We partner with you to empower your business for the future.

AccuKnox

AccuKnox

Our Cloud-Native Application Protection Platform (CNAPP) delivers uncompromising Zero Trust security, powered by kernel-level precision and AI-driven innovation, to protect your workloads.