PayPal will pay $2 million in settlements to New York State’s Department of Financial Services over weak cybersecurity measures that caused a sensitive customer data leak in 2022.
According to New York State’s Department of Financial Services (NYDFS) investigation, PayPal‘s cybersecurity deficiencies led to the exposure of sensitive customer information, including Social Security numbers, in a data breach lasting approximately seven weeks in late 2022. The company agreed to pay a fine of $2 million.
The alleged reasons for the incident included PayPal’s failure to implement essential security controls, such as multifactor authentication and CAPTCHA, making it easier for cybercriminals to access customer data. Moreover, the payment provider lacked qualified personnel in key cybersecurity roles, as the company did not provide responsible employees with sufficient training to address cybersecurity risks.
Hackers apparently used a method called “credential stuffing,” where they took stolen usernames and passwords from other websites and used them to log into PayPal accounts. This gave them access to sensitive information, including federal tax forms. The given cyberattacks typically use bots for automation and scalability. They are based on the assumption that many users apply the same usernames and passwords across multiple services. Surveys find that almost 80% of individuals use the same credentials for at least two different services, while about 10% use the same password for every online account.
Following the incident and NYDFS probe, PayPal has taken several steps to enhance its cybersecurity measures. These include multifactor authentication on all U.S. accounts, password resets for affected users, CAPTCHA added to the login process.
Earlier, PayPal faced a class action lawsuit regarding the popular e-commerce browser extension Honey, which the company acquired in 2019. The main accusation comes from content creators who say the extension is a scam that has been stealing their affiliate commissions. The lawsuit alleges that Honey replaces affiliate links with its own, taking credit and redirecting commissions.
