PayPal will pay $2 million to settle New York State charges that cybersecurity failures at the firm led to customers' social security numbers being exposed.
A New York State Department of Financial Services (NYDFS) investigation determined that PayPal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cyber risks.
Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes.
As a result, they failed to follow proper procedures before the changes went live. This allowed cybercriminals to leverage compromised credentials to access Form 1099-Ks, which included sensitive customer data, including SSNs.
PayPal discovered the issue in late 2022 and self reported. It has since fixed the problems and improved its cybersecurity practices, says the NYDFS.