PayPal Pays A Price For Exposing Customer Data

Uploaded on 2025-01-31 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cyber security flaws that led to the exposure of customers’ Social Security numbers.

This left names, dates of birth and Social Security numbers belonging to customers of the leading  digital payments company exposed and easily accessible to cyber criminals for a perood of seven weeks. 

The issue stemmed from PayPal’s failure to implement adequate cyber security controls, which allowed cybercriminals to access sensitive personal information.

According to DFS, PayPal’s negligence in managing its cyber security infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks.

The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cyber security team noticed an unusual uptick in access attempts, which led them to determine that cyber criminals were using “credential stuffing” attacks to gain unauthorised access to personal details.

The investigation found that PayPal had not used qualified staff for key cyber security functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.

In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all US accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cyber security practices in safeguarding user data.

Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasised that PayPal’s actions violated the state’s cyber security regulations.

While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cyber security measures s in digital finance.

Reuters   |    I-HIS    |   Straight Arrow News     |    USA Today  |   Cyber News Group     |     Yahoo

Image: @PayPal

You Might Also Read: 

Fake PayPal Emails Cost £8million In Theft:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Does DeepSeek Compare With Other Chatbot AI Tools?
The British Government Faces Severe Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Zurich

Zurich

Zurich is a leading multi-line insurer providing a wide range of property and casualty, and life insurance products and services in more than 210 countries and territories.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Astra Security

Astra Security

Astra's website security solution provides real-time protection against malware, hackers, SQLi, XSS, DDoS, LFI and RFI.

Bricata

Bricata

Bricata offers industry-leading IPS solutions for enterprise-wide threat prevention and unparalleled situational awareness.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

CYQUEO

CYQUEO

CYQUEO is your professional partner and system integrator. We secure your organization against advanced cyber threats.

Agility Networks

Agility Networks

Agility Networks is a technology company providing integrated services and solutions for Digital Transformation and Cyber Security.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

Panacea Infosec

Panacea Infosec

Panacea Infosec is a leading provider of information security compliance services. We help our clients in protecting their data, reducing security risks and fighting cybercrime.

Luta Security

Luta Security

Luta Security implements a holistic approach to advance the security maturity of governments and organizations around the world.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.

RightCue Assurance

RightCue Assurance

RightCue Assurance identify opportunities for improvement in the Information Security for your organisation and work with you to reduce cyber risk.

Custom Computer Specialist (CCS)

Custom Computer Specialist (CCS)

CCS offers an extensive range of services including cybersecurity solutions, consulting, implementation, and support to help our clients maximize the value derived from IT investments.