PayPal is paying up for reportedly failing to protect tens of thousands of customers’ sensitive personal information. New York State’s Department of Financial Services (DFS) announced on Thursday, Jan. 23, that the company will pay a $2 million fine for cybersecurity failures in early 2022, which exposed customers Social Security numbers.
The fine is for violating the department’s cybersecurity regulation, which was implemented in 2017.
A probe by the DFS found that PayPal did not use qualified staff to manage crucial cybersecurity functions or provide proper training to protect against cybersecurity risks.
The financial service’s superintendent said systemic failures led to dates of birth and Social Security numbers belonging to PayPal customers being exposed to cybercriminals for around seven weeks.
PayPal was alerted to the problem after a security analyst read an online message reading, “PP EXPLOIT TO GET SSN.”
The following day, PayPal’s cybersecurity team saw a surge in attempts to hack its online platform, as cybercriminals used stolen data to access the federal tax forms of tens of thousands of customers.
The probe also found problems with PayPal’s former practice of not requiring multifactor authentication or employing tactics to detect bots.
PayPal cooperated with the investigation and said in response to the probe that keeping “a secure platform is a top priority.”
The company now requires all U.S. customers to use multifactor authentication, required password resets on affected customer accounts, and it deployed protections to detect bots.
