The New York Department of Financial Services (NYDFS) has ordered PayPal to pay a $2 million fine for breaching the state’s cybersecurity regulations, which resulted in a data breach in 2022.
The Department of Financial Services (DFS) discovered that hackers used credential-stuffing attacks to get sensitive user data by taking advantage of vulnerabilities in PayPal’s security.
PayPal confirmed in early 2023 that hackers hacked 35,000 accounts between December 6 and 8, 2022. The exposed information included full names, dates of birth, postal addresses, Social Security numbers, and individual tax identification numbers.
Researchers discovered that PayPal’s cybersecurity procedures did not meet the demanding standards of New York. According to reports, the vulnerability evolved after the business modified its data systems to provide more people access to IRS tax forms (1099-Ks). These changes inadvertently created gaps that hackers exploited.
According to Department of Financial Services:
Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live.
New York DFS Finds Major Security Flaws in PayPal’s Systems
The New York Department of Financial Services (DFS) disclosed in a consent order dated January 23 that a PayPal security analyst had reported an online post with the subject “PP EXPLOIT TO GET SSN.” The post potentially exposed consumers’ Social Security information since it included instructions that led readers to a PayPal link.
PayPal swiftly resolved the issue, but an investigation found that the original changes bypassed the company’s “Risk and Control Identification Process” due to a clerical error. This error allowed hackers with legitimate PayPal accounts to view customers’ 1099-K documents, revealing sensitive information.
The company did not implement fundamental security measures, such as mandating multi-factor authentication (MFA) to authenticate individuals. Additionally, the structure of access controls, which restrict who may view what, was unsatisfactory.
Furthermore, there were no defensive measures against automated attacks within the system. This meant hackers could easily attempt thousands of username and password combinations without CAPTCHA or login attempt limits preventing them. These missing security measures made it significantly easier for hackers to break in using a technique called credential stuffing.
Consequently, PayPal failed to implement robust cybersecurity policies, employee training, and authentication controls, in violation of many requirements of the New York Cybersecurity Regulation (23 NYCRR § 500.3, 500.10, and 500.12 provisions).
PayPal has agreed to pay a $2 million fine within 10 days of the consent order’s issuance. Cyber insurance will not cover the penalty. The DFS complimented PayPal’s transparency during the investigation, as well as its security changes, which included required multifactor authentication for all U.S. customer logins and changed corporate rules.
Despite law enforcement crackdowns, dark web forums continue to sell thousands of PayPal credentials. PayPal did not respond to requests for comment. The 34,942 victims of the December 2022 breach received two years of free Equifax services, including credit monitoring, fraud alerts, and identity restoration.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users’ security systems.
Security Awareness Training remains one of the most cost-effective methods of strengthening cybersecurity within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
