The New York State Department of Financial Services announced a settlement requiring PayPal, Inc. to pay a USD 2 million penalty for violations of the Department’s Cybersecurity Regulation following an investigation into cybersecurity failures that exposed sensitive customer information, including Social Security numbers. The investigation found PayPal did not use qualified personnel to manage key cybersecurity functions and did not provide adequate training to address cybersecurity risks. Customer data was exposed after PayPal changed existing data flows to expand access to IRS Form 1099-K, with untrained teams failing to follow proper procedures before the changes went live, enabling cybercriminals using compromised credentials to access 1099-K forms containing sensitive data. DFS also identified gaps in written policies covering access controls, identity management, and customer data, and weaknesses in controls to prevent unauthorized access, including not requiring multifactor authentication and not using measures such as CAPTCHA or rate limiting; PayPal has since remediated these issues. DFS noted its Cybersecurity Regulation has been in effect since March 2017, with a second amendment effective in November 2023.
New York State Department of Financial Services 2025-01-23
New York State Department of Financial Services reaches USD 2 million cybersecurity settlement with PayPal over unredacted Social Security numbers
The New York State Department of Financial Services has settled with PayPal, Inc. for a USD 2 million penalty due to violations of its Cybersecurity Regulation. The investigation revealed PayPal's inadequate cybersecurity management and training, leading to exposure of sensitive customer data. PayPal has since addressed the identified deficiencies, including gaps in access controls and identity management.