By Jonathan Stempel
January 23, 2025 – 8:31 AM PST
NEW YORK (Reuters) – PayPal (PYPL.O) will pay a $2 million civil fine over cybersecurity failures that led to the exposure of customers’ Social Security numbers in late 2022, New York state’s Department of Financial Services said on Thursday.
Adrienne Harris, New York’s financial services superintendent, said a probe by her office found PayPal failed to use qualified staff to manage key cybersecurity functions or provide adequate training to address cybersecurity risks.
This left names, dates of birth and Social Security numbers belonging to customers of the San Jose, California-based digital payments company easily accessible to cybercriminals for about seven weeks, she said.
PayPal cooperated with the probe. “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously,” the company said in a statement.
According to a consent order, PayPal discovered the problem after a security analyst on Dec. 6, 2022 read an online message that said “PP EXPLOIT TO GET SSN.”
The next day, PayPal’s cybersecurity team saw a spike in attempts to access its online platform, and determined that cybercriminals were using “credential stuffing” to view federal tax forms for tens of thousands of customers.
Data were exposed after PayPal made changes to existing data flows so it could make the forms available to more customers.
Harris also faulted PayPal for not requiring customers to use multifactor authentication or controls such as CAPTCHA to prevent unauthorized access.
The fine was for violating the financial services department’s cybersecurity regulation, adopted in 2017.
PayPal now requires multifactor authentication on all U.S. customer accounts, forced password resets on affected accounts, and has implemented CAPTCHA, the consent order said.
Reporting by Jonathan Stempel in New York; Editing by Hugh Lawson and Bill Berkrot
