New York State has announced a $2,000,000 settlement with PayPal over charges it failed to comply with the state’s cybersecurity regulations, leading to a 2022 data breach.
The Department of Financial Services (DFS) action says that threat actors took advantage of security gaps in PayPal’s systems to conduct credential stuffing attacks that provided access to sensitive customer information.
In 2023, PayPal disclosed that threat actors conducted a large-scale credentials stuffing attack between December 6th and December 8th, 2022, where 35,000 accounts were breached.
The data exposed at the time included full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
New York’s DFS announcement sheds more light on the breach, explaining that one of PayPal’s security lapses was an error in how Form 1099-K tax forms were distributed on the platform.
“Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers,” explains DFS.
“However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live.”
Following the faulty implementation, cybercriminals holding valid credentials for PayPal accounts were able to access those accounts and their 1099-K forms, which revealed a lot of sensitive information.
The success of these “credential stuffing” attacks hinged upon the lack of multi-factor authentication (MFA) protection, which was not mandatory on the platform at the time.
This, combined with weak access controls allowing automated login attempts without CAPTCHA or rate limiting, constituted key compliance failures for PayPal.
The consent order specifies violations of 23 NYCRR § 500.3, 500.10, and 500.12 of the New York Cybersecurity Regulation for failure to implement proper cybersecurity policies, personnel training, and authentication controls.
Although PayPal took several remediation steps following the discovery of the breach, including masking sensitive data on IRS forms, implementing CAPTCHA and rate limiting, and making MFA mandatory for all U.S. customer accounts, this came too late, according to DFS.
The settlement terms mandate that PayPal must pay a fine of $2 million within 10 days, while no further action will be taken unless New York’s DFS discovers new violations.