.svg)
The New York State Department of Financial Services (NYDFS) has taken enforcement action against online payments giant PayPal for violations of the state's Cybersecurity Regulation.
An investigation by the regulator revealed serious lapses in the company's cybersecurity practices, resulting in the exposure of sensitive customer information, including social security numbers (SSNs), to cyber criminals.
New York’s Cybersecurity Regulation, which has been in effect since 2017 and was updated in 2023, imposes strict requirements on financial entities to safeguard customer data and respond effectively to cybersecurity threats.
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said Superintendent Adrienne A. Harris.
“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
Key failings
According to the consent order, PayPal failed to adequately train personnel tasked with managing core cybersecurity functions.
These failures occurred during system changes implemented in 2022 to comply with updated Internal Revenue Service (IRS) reporting requirements for Form 1099-K, which reports payments from payment apps or online marketplaces and from credit, debit or stored-value cards.
The changes, which aimed to expand access to tax forms for more customers, were misclassified by PayPal’s engineering team as a routine platform migration rather than a new capability.
This misclassification led to the bypassing of critical risk assessments and security measures, which allowed hackers to exploit vulnerabilities and access unredacted customer data.
The investigation found that PayPal did not mandate the use of multi-factor authentication (MFA) for customer accounts at the time of the incident.
It also lacked additional safeguards such as CAPTCHA and rate limiting, which were only added after the breach was discovered.
The exposed information included SSNs, names and dates of birth, which were left unmasked in customer tax forms that were accessible through PayPal’s platform.
The NYDFS investigation determined that PayPal violated several provisions of the Cybersecurity Regulation, including requirements to implement written policies addressing access controls, employ qualified cybersecurity personnel and use effective measures to protect against unauthorised access to sensitive customer data.
Stricter measures
When approached for comment by Vixio, PayPal defended its response to the issue.
“Protecting consumers’ personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously,” a spokesperson for the company said.
“After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022.”
The consent order also credits PayPal’s “commendable cooperation throughout this investigation”.
“The Department also recognizes and credits PayPal’s efforts to remediate the issues identified in this Consent Order, beginning immediately after it discovered the vulnerability,” the document says.
The company has since implemented stricter security measures, including mandatory MFA for US customers; improved its risk assessment processes; and enhanced training for its engineering teams to ensure compliance with cybersecurity protocols.
In addition, PayPal has updated its internal policies and procedures to prevent similar incidents in the future.
