PayPal Pays A Price For Exposing Customer Data

Uploaded on 2025-01-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cyber security flaws that led to the exposure of customers’ Social Security numbers.

This left names, dates of birth and Social Security numbers belonging to customers of the leading  digital payments company exposed and easily accessible to cyber criminals for a perood of seven weeks. 

The issue stemmed from PayPal’s failure to implement adequate cyber security controls, which allowed cybercriminals to access sensitive personal information.

According to DFS, PayPal’s negligence in managing its cyber security infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks.

The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cyber security team noticed an unusual uptick in access attempts, which led them to determine that cyber criminals were using “credential stuffing” attacks to gain unauthorised access to personal details.

The investigation found that PayPal had not used qualified staff for key cyber security functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.

In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all US accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cyber security practices in safeguarding user data.

Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasised that PayPal’s actions violated the state’s cyber security regulations.

While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cyber security measures s in digital finance.

Reuters   |    I-HIS    |   Straight Arrow News     |    USA Today  |   Cyber News Group     |     Yahoo

Image: @PayPal

You Might Also Read: 

Fake PayPal Emails Cost £8million In Theft:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Does DeepSeek Compare With Other Chatbot AI Tools?
Securing Critical Infrastructure From Nation-State Threats   »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

Samsung Knox

Samsung Knox

Samsung Knox brings multi-layered defence-grade security to your business’s smartphones and tablets.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

Auxilium Cyber Security

Auxilium Cyber Security

Auxilium Cyber Security is independent information security consultancy company.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

Invest Ottawa

Invest Ottawa

The IO Accelerator Program is designed to rapidly and systematically accelerate the development and commercial success of high growth technology firms.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

SIA Group

SIA Group

SIA Group, an Indra company, combines Consulting, Systems Integration and Managed Services in four specialized business areas: Information Security, Storage, IT Management and IT Mobility.

Aiden Technologies

Aiden Technologies

Aiden simplifies your IT process, giving you peace of mind and security by ensuring your computers get exactly the software they need and nothing else.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Endor Labs

Endor Labs

Endor Labs gives developers and security teams the context they need to prioritize open source risk.

Cognna

Cognna

Cognna's innovative platform is designed to empower you and your team, providing the tools you need to detect, prevent, and resolve threats with ease.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

Halo Security

Halo Security

Halo Security is a fast, easy, and scalable external attack surface management platform that gives security leaders deep visibility into their internet-facing assets.