New York State has introduced a $2,000,000 settlement with PayPal over costs it didn’t adjust to the state’s cybersecurity rules, resulting in a 2022 knowledge breach.
The Division of Monetary Companies (DFS) motion says that menace actors took benefit of safety gaps in PayPal’s programs to conduct credential stuffing assaults that supplied entry to delicate buyer info.
In 2023, PayPal disclosed that menace actors performed a large-scale credentials stuffing assault between December sixth and December eighth, 2022, the place 35,000 accounts had been breached.
The information uncovered on the time included full names, dates of start, postal addresses, social safety numbers, and particular person tax identification numbers.
New York’s DFS announcement sheds extra mild on the breach, explaining that one in every of PayPal’s safety lapses was an error in how Kind 1099-Okay tax types had been distributed on the platform.
“Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers,” explains DFS.
“However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live.”
Following the defective implementation, cybercriminals holding legitimate credentials for PayPal accounts had been in a position to entry these accounts and their 1099-Okay types, which revealed a whole lot of delicate info.
The success of those “credential stuffing” assaults hinged upon the shortage of multi-factor authentication (MFA) safety, which was not obligatory on the platform on the time.
This, mixed with weak entry controls permitting automated login makes an attempt with out CAPTCHA or charge limiting, constituted key compliance failures for PayPal.
The consent order specifies violations of 23 NYCRR § 500.3, 500.10, and 500.12 of the New York Cybersecurity Regulation for failure to implement correct cybersecurity insurance policies, personnel coaching, and authentication controls.
Though PayPal took a number of remediation steps following the invention of the breach, together with masking delicate knowledge on IRS types, implementing CAPTCHA and charge limiting, and making MFA obligatory for all U.S. buyer accounts, this got here too late, in accordance with DFS.
The settlement phrases mandate that PayPal should pay a nice of $2 million inside 10 days, whereas no additional motion might be taken until New York’s DFS discovers new violations.
