New York State has reached a $2,000,000 settlement with PayPal after the company was found to have violated the state’s cybersecurity regulations, leading to a significant data breach in 2022. The settlement, announced by the Department of Financial Services (DFS), highlights gaps in PayPal’s cybersecurity practices, which allowed threat actors to exploit vulnerabilities and access sensitive customer information.
Cash App Settlement 2025: Eligibility, Payout Per Person, and Everything You Need to Know
Table of Contents
The 2022 Breach: What Happened?
In 2023, PayPal disclosed that between December 6th and December 8th, 2022, cybercriminals carried out a credential-stuffing attack, breaching approximately 35,000 customer accounts. Credential stuffing involves using stolen or leaked login credentials to gain unauthorized access to user accounts, exploiting users who reuse passwords across multiple platforms.
The attack exposed a significant amount of sensitive data, including:
- Full names
- Dates of birth
- Postal addresses
- Social Security numbers
- Individual Tax Identification Numbers
Cash Alert: $197.5M ATM Fees Class Action Settlement! Eligibility & Claim Your Share
Get Your Refund in Visa and Mastercard’s $192 Million Class Action Settlement: Deadline is here Soon
$16 Million Capital One Settlement: Are You Eligible for a Payment or Credit?
Key Security Failures
The DFS report sheds light on multiple lapses in PayPal’s cybersecurity measures that contributed to the breach:
- Weak Implementation of IRS Form 1099-K Distribution:
PayPal made changes to its data systems to expand IRS Form 1099-K availability to more users. However, the teams implementing these changes lacked adequate training on PayPal’s application development processes. This oversight led to improper procedures being followed, leaving customer data exposed. - Lack of Multi-Factor Authentication (MFA):
At the time of the attack, MFA—a critical layer of account security—was not mandatory. This oversight made it easier for cybercriminals to exploit the platform. - Weak Access Controls:
The absence of CAPTCHA and rate-limiting measures allowed automated login attempts, further enabling the credential-stuffing attack.
Violations and Consequences
The DFS cited PayPal for violations of New York Cybersecurity Regulation 23 NYCRR §§ 500.3, 500.10, and 500.12, which mandate the implementation of cybersecurity policies, personnel training, and robust authentication controls.
Steps Taken by PayPal
In response to the breach, PayPal implemented several remedial actions:
- Masked sensitive data on IRS Form 1099-Ks.
- Introduced CAPTCHA and rate-limiting mechanisms to thwart automated login attempts.
- Made MFA mandatory for all U.S. customer accounts.
However, DFS stated these measures came too late to prevent the damage caused by the 2022 breach.
Settlement Terms
Under the settlement agreement, PayPal must:
- Pay a $2 million fine within 10 days.
- Ensure no further violations of New York’s cybersecurity regulations.
No additional actions will be taken unless DFS uncovers further compliance failures.
Lessons for Businesses
This incident underscores the importance of proactive cybersecurity measures, including employee training, strong authentication protocols, and regular compliance checks. As cyber threats evolve, companies must prioritize robust security practices to safeguard customer data and maintain regulatory compliance.
PayPal’s costly lesson serves as a warning to all organizations: cybersecurity negligence can lead to financial penalties, reputational harm, and loss of consumer trust.
Leave a Reply