PayPal Pays A Price For Exposing Customer Data

PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cyber security flaws that led to the exposure of customers’ Social Security numbers.

This left names, dates of birth and Social Security numbers belonging to customers of the leading  digital payments company exposed and easily accessible to cyber criminals for a perood of seven weeks. 

The issue stemmed from PayPal’s failure to implement adequate cyber security controls, which allowed cybercriminals to access sensitive personal information.

According to DFS, PayPal’s negligence in managing its cyber security infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks.

The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cyber security team noticed an unusual uptick in access attempts, which led them to determine that cyber criminals were using “credential stuffing” attacks to gain unauthorised access to personal details.

The investigation found that PayPal had not used qualified staff for key cyber security functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.

In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all US accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cyber security practices in safeguarding user data.

Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasised that PayPal’s actions violated the state’s cyber security regulations.

While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cyber security measures s in digital finance.

Reuters   |    I-HIS    |   Straight Arrow News     |    USA Today  |   Cyber News Group     |     Yahoo

Image: @PayPal

You Might Also Read: 

Fake PayPal Emails Cost £8million In Theft:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« How Does DeepSeek Compare With Other Chatbot AI Tools?
The British Government Faces Severe Cyber Threats »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ACIS Professional Center

ACIS Professional Center

ACIS provides training and consulting services in the area of information technology, cybersecurity, IT Governance, IT Service management, information security and business continuity management.

Evok

Evok

EVOK is an IT Service provider specialized in installing, maintaining and supporting IT infrastructures for SMB's in Switzerland.

British Insurance Brokers’ Association (BIBA)

British Insurance Brokers’ Association (BIBA)

BIBA is the UK’s leading general insurance intermediary organisation. Use the ‘Find Insurance‘ section of the BIBA website to find providers of cyber risk insurance in the UK.

Code Dx

Code Dx

Code Dx is a software application vulnerability correlation and management system.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

ComCode

ComCode

ComCode provides consulting services and solutions in the area of digitization and cyber security for mid-sized and big businesses.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Trustonic

Trustonic

Trustonic is a leader in the device security market. Our mission is to protect apps, secure devices & enable trust.

NanoLock Security

NanoLock Security

NanoLock delivers the industry’s only end-to-end platform for the IoT and connected devices ecosystem.

Winterhawk

Winterhawk

Winterhawk is a specialist and leading global Cyber, ESG, GRC, Risk & Identity consulting practice.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.

National Cybersecurity Competence Center (NC3) - Luxembourg

National Cybersecurity Competence Center (NC3) - Luxembourg

The purpose of the is to strengthen the Country's ecosystem facing cyber Luxembourg National Cybersecurity Competence Centerthreats and risks.