New York State has reached a $2 million settlement with PayPal following allegations that the company failed to meet cybersecurity regulations, leading to a significant data breach in December 2022.
The Department of Financial Services (DFS) revealed that security vulnerabilities allowed cybercriminals to carry out credential-stuffing attacks, exposing sensitive information from over 35,000 customer accounts.
The breach occurred between December 6th and December 8th, 2022, and compromised data included customers’ full names, dates of birth, postal addresses, Social Security numbers, and tax identification numbers.
According to DFS, the attacks exploited weak access controls, such as the absence of mandatory multi-factor authentication (MFA), inadequate CAPTCHA protections, and no rate limit for login attempts.
A critical lapse involved changes to the distribution of IRS Form 1099-K on the platform. DFS stated that PayPal teams implementing these changes lacked sufficient training on the company’s systems, leading to procedural errors. These errors allowed attackers with valid credentials to access sensitive tax forms, further exacerbating the breach.
While PayPal implemented remediation steps—such as mandating MFA, masking sensitive data on IRS forms, and introducing CAPTCHA and rate-limiting measures—the DFS deemed these actions insufficient as they occurred after the breach. The settlement requires PayPal to pay the $2 million fine within ten days, with no further action planned unless additional violations are discovered.
