PayPal Fined 2 Million Over2022 Data Breach Exposing 35,000 Customers’ Data

Paypal’s New User Agreement Allows Firm Fine Users $2,500 for Spreading ‘Misinformation’

$2MillionOver2022DataBreachExposing35,000Customers’Data\ast \ast \ast NewYork,NY\ast —PayPalhasagreedtopaya$2 million penalty to New York State regulators following a 2022 cybersecurity breach that exposed sensitive personal information of nearly 35,000 customers, including names, dates of birth, and Social Security numbers. The penalty resolves violations of state cybersecurity regulations linked to systemic failures that allowed cybercriminals to access unprotected data for nearly seven weeks.

Breach Details and Cause

The breach occurred in late 2022 after PayPal adjusted its data systems to improve accessibility of IRS Form 1099-Ks for users. However, inadequate employee training and oversight led to critical errors: changes were not properly tested, leaving customer data unmasked and vulnerable. Cybercriminals exploited this lapse using “credential stuffing,” a technique where stolen login credentials are used to hijack accounts. The attackers accessed the forms undetected between October 2021 and December 2022, according to a report by The Record Media.

Regulatory Findings

An investigation by the New York State Department of Financial Services (NYDFS) revealed glaring gaps in PayPal’s cybersecurity framework. The company failed to assign qualified personnel to key roles, neglected to train staff on risk mitigation, and lacked basic safeguards like multifactor authentication (MFA) and CAPTCHA controls to block automated attacks.

“PayPal’s oversight failures created an unacceptable risk to consumers,” NYDFS stated, emphasizing that the breach violated the state’s stringent cybersecurity rules enacted in 2017.

Penalty and Remedial Actions

Under the settlement, PayPal will pay the $2 million fine and has since implemented corrective measures, including mandatory MFA for all U.S. accounts, password resets for affected users, and CAPTCHA integration to deter bots. The company also pledged to enhance employee training and data-flow vetting processes.

Broader Implications

The incident underscores the escalating threats posed by cyberattacks and the necessity for companies to rigorously update and test security protocols. “This settlement serves as a reminder that cybersecurity requires continuous investment and vigilance,” a NYDFS spokesperson said.

PayPal has notified impacted customers and offered free credit monitoring services. The breach highlights the critical need for organizations to prioritize defensive measures as cybercriminal tactics evolve.

Sources: NYDFS report (DFS.NY.GOV), The Record Media, Reuters