PayPal has agreed to pay $2 million to settle charges from New York State regarding cybersecurity failures that resulted in the exposure of customers’ social security numbers.
An investigation by the New York State Department of Financial Services (NYDFS) found that PayPal did not employ qualified personnel to manage essential cybersecurity functions and did not provide sufficient training to mitigate cyber risks.
The data exposure occurred when PayPal made modifications to data flows to facilitate broader access to IRS Form 1099-Ks for its customers. However, the teams responsible for these changes lacked training on PayPal’s systems and application development processes. Consequently, they did not adhere to proper procedures before the changes were implemented, enabling cybercriminals to exploit compromised credentials and access Form 1099-Ks, which contained sensitive customer information, including social security numbers.
PayPal became aware of the issue in late 2022 and reported it to the authorities. Since then, the company has addressed the vulnerabilities and enhanced its cybersecurity measures, according to the NYDFS.