In December 2022, PayPal experienced a data breach that exposed sensitive customer information, including Social Security numbers. The breach occurred after PayPal made changes to its data flows to make IRS Form 1099-Ks available to more customers. Due to inadequate training, the teams responsible for these changes failed to follow proper procedures, allowing cybercriminals to exploit exposed credentials and access the forms.
The New York State Department of Financial Services (DFS) investigated the incident and found that PayPal violated the state’s Cybersecurity Regulation. Specifically, PayPal failed to use qualified personnel to manage key cybersecurity functions and did not provide adequate training to address cybersecurity risks. As a result, the company has agreed to pay a $2 million penalty to settle these allegations.
In response to the breach, PayPal has implemented several security enhancements, including requiring multifactor authentication on all U.S. customer accounts, forcing password resets on affected accounts, and implementing CAPTCHA to prevent unauthorized access.
This incident underscores the critical importance of robust cybersecurity measures and proper training to protect sensitive customer data.