PayPal Ordered To Pay $2 Million Settlement Over 2022 Data Breach
The New York State’s Department of Financial Services (DFS) has finally ordered PayPal to pay a $2 million settlement over a three-year-old data breach. On January 18, 2023, PayPal announced that it suffered a massive data breach that led cybercriminals to access customers’ sensitive personal information.
In the consent order dated January 23, 2025, there is mention of events related to that data breach. Per the document, a security analyst alerted PayPal about an online message “PP EXPLOIT TO GET SSN” on December 6, 2022. A URL attached to the message redirected users to PayPal’s website to check their Social Security Numbers (SSNs).
On the same day, PayPal noticed that the Form 1099-Ks available on PayPal’s website had unmasked customer information. This included details like names, date of birth, and full SSNs. The cybercriminals could access those details for about seven weeks, noted Adrienne A. Harris, Superintendent of Financial Services.
The following day, December 7, PayPal’s cybersecurity team noticed a surge in attempts to access their website using credential stuffing. The motive was “to gain access to the NPI available in the unmasked Form 1099-Ks.” The DFS concluded that PayPal failed to use qualified staff to handle key cybersecurity functions or properly train its staff.
The investigating body also found that PayPal’s previous practice didn’t require multi-factor authentication (MFA) or CAPTCHA to prevent unauthorized access. It’s worth noting that PayPal received a $2 million fine for violating the DFS’s cybersecurity regulation implemented back in 2017.
PayPal will also have to ensure all the US customers use MFA for logins
The consent order further requires all PayPal users in the US to use multi-factor authentication (MFA) for account logins. As technology continues to get better each day, cybercriminals are evolving their tricks to breach systems. So, if you are looking to prevent unauthorized access to your online accounts, it’s best to set up multi-factor authentication.
What’s your reaction?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Leave a Reply
View Comments