PayPal to Pay $2 Million Settlement to New York State for 2022 Customer Data Leak

• PayPal has been asked to pay a civil monetary penalty of $2 Million by the New York State Department of Financial Services (DFS).
• The fine was imposed on PayPal for violating cybersecurity regulations and failing to conduct the Risk and Control Identification Process (RCIP).
• Threat actors exploited the exposed data, leading to a spike in account access attempts.

The New York State Department of Financial Services (DFS) imposed a civil monetary penalty of $2 million on PayPal for violating cybersecurity regulations. The DFS placed PayPal to establish and implement a cybersecurity program and procedures based on risk assessment to protect the privacy of consumers. 

The incident that led to the civil penalty dates back to October 18, 2022. To comply with the American Rescue Plan Act, the company was asked to disclose Form 1099-Ks, wherein it also inadvertently exposed Nonpublic Information (NPI). 

On December 6, 2022, a PayPal security analyst found an online message saying, “PP EXPLOIT TO GET SSN” and details on how to access unmasked details from Form 1099-Ks, as noted in a DFS document.

The message had an explanation to find PayPal customer’s names, dates of birth and full Social Security Numbers (SSNs). The following day, the company noticed an increased attempt to access PayPal's website, leading to the suspicion of a cyber attack. 

PayPal suffered credential stuffing attempts in 2023 wherein login details were used to access the NPI details, resulting in 35,000 accounts being breached.

As a security mechanism, the company masked the NPI and added CAPTCHA and rate limiting, which stopped the automated account access.

However, the court noticed that PayPal failed to conduct the Risk and Control Identification Process (RCIP) based on the development policies at that time and the implementation of a new product or capability.

The Department of Financial Services further added that PayPal’s engineering team implementing the Form 1099-K was not adequately trained on its own policies and procedures for deploying code. 

They did not take the necessary steps in the penetration test and vulnerability scan, violating the cybersecurity policies 23 NYCRR § 500.3(d), (i), and (k).

The monetary settlement must be paid within 10 days of the consent order in wire transfer.