New York regulators fined PayPal $2 million after an investigation by New York's Department of Financial Services (DFS) revealed a serious security breach that exposed customer's personal data, such as social security numbers and more.
According to the investigation, PayPal's security measures on its platform weren't strong enough to keep bad actors from accessing user private data, including phone numbers, emails, addresses, and social security numbers. The DFS oversees all the financial institutions in the state of New York.
DFS's Superintendent Adrienne A. Harris said in a statement,
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions. Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
The problem started when PayPal made changes to how it handled certain customer data related to IRS Form 1099-K, something that is used for reporting tax. The teams responsible for managing these changes weren't trained properly on the systems and the processes involved in making those changes that led to mistakes and eventually exposed private customer information. The bad actors took advantage of these weaknesses in PayPal's system and accessed customers' sensitive data.
The DFS investigation also found that PayPal didn't really have strong policies in place to control who could access sensitive information. All of these issues related to PayPal violated New York's strict cybersecurity rules, which are designed to protect consumers from data breaches and attacks like these. For starters, New York’s Cybersecurity Regulation has been in place since 2017 and was last updated in November 2023.
Earlier this week, Forbes also reported a "no-phish phishing" technique that was being used by bad actors against PayPal users to get access to their accounts where victims often receive payment requests that seemed legitimate, directly through PayPal's platform, making it challenging to identify any malicious intent. Instead of using fake emails or misleading links, hackers exploited vulnerabilities in PayPal's infrastructure to blend fraudulent requests with regular transactions, which led many users to unknowingly authorize unauthorized payments.
As a response, the company has reset passwords for affected users and urged them to use 2FA as an extra layer of security.
via Reuters
7 Comments - Add comment