PayPal Pays A Price For Exposing Customer Data

Uploaded on 2025-01-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cyber security flaws that led to the exposure of customers’ Social Security numbers.

This left names, dates of birth and Social Security numbers belonging to customers of the leading  digital payments company exposed and easily accessible to cyber criminals for a perood of seven weeks. 

The issue stemmed from PayPal’s failure to implement adequate cyber security controls, which allowed cybercriminals to access sensitive personal information.

According to DFS, PayPal’s negligence in managing its cyber security infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks.

The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cyber security team noticed an unusual uptick in access attempts, which led them to determine that cyber criminals were using “credential stuffing” attacks to gain unauthorised access to personal details.

The investigation found that PayPal had not used qualified staff for key cyber security functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.

In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all US accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cyber security practices in safeguarding user data.

Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasised that PayPal’s actions violated the state’s cyber security regulations.

While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cyber security measures s in digital finance.

Reuters   |    I-HIS    |   Straight Arrow News     |    USA Today  |   Cyber News Group     |     Yahoo

Image: @PayPal

You Might Also Read: 

Fake PayPal Emails Cost £8million In Theft:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Does DeepSeek Compare With Other Chatbot AI Tools?
The British Government Faces Severe Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Asavie

Asavie

Asavie provide solutions for Enterprise Mobility Management and secure IoT Connectivity.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

ZeroFox

ZeroFox

ZeroFox safeguards modern organizations from dynamic security risks across social, mobile, surface, deep and dark web, email and collaboration platforms.

Disklabs

Disklabs

Disklabs are industry leaders in data recovery, digital forensics and data erasure.

RIPS Technologies

RIPS Technologies

RIPS Technologies delivers automated security analysis for PHP applications as platform independent software or highly scalable cloud service.

Halon

Halon

Halon is a flexible security and operations platform for in-transit email.

ESL Bangladesh

ESL Bangladesh

ESL is the Largest IT Infrastructure & Telecom Service Provider in Bangladesh.

STM

STM

STM provides system engineering, technical support, project management, technology transfer and logistics support services for the Turkish Armed Forces.

DataPassports

DataPassports

DataPassports is a data-centric security and privacy solution that enforces privacy and security from end-to-end with transparent protection of data at the source.

ScienceSoft

ScienceSoft

ScienceSoft is a provider of software development and IT consulting services including Information Security.

KirkpatrickPrice

KirkpatrickPrice

KirkpatrickPrice is dedicated to providing you with innovative security guidance and efficient audit services.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

Agile Defense

Agile Defense

Agile Defense is an Information Technology services provider, delivering leading-edge Digital Transformation solutions to the Federal Government.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

Redinent Innovations

Redinent Innovations

Redinent is a cutting-edge IoT Security platform that offers precise security posture analysis and delivers actionable intelligence, empowering businesses to operate with unrivaled resilience.