Paypal
Credit: PayPal

PayPal penalized $2 million over data breach involving 35K Social Security numbers

Digital payments giant PayPal will pay a $2 million penalty after a December 2022 cybersecurity incident that leaked thousands of Social Security numbers, New York state regulators said Thursday. 

The fine will settle violations of New York’s financial cybersecurity regulation that mandate companies like PayPal “use qualified personnel to manage key cybersecurity functions” and adequately train staff to address cyber risks, New York State Department of Financial Services (DFS) Superintendent Adrienne Harris said. 

“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks,” she said. 

In January 2023, the company sent breach notification letters to nearly 35,000 customers after a December 6 credential stuffing attack allowed hackers to access names, addresses, Social Security numbers, individual tax identification numbers and dates of birth.

In a consent order published on Thursday, DFS said a PayPal security analyst at the time identified a message posted online saying “PP EXPLOIT TO GET SSN” that included instructions to follow a link to PayPal’s website to view customers’ Social Security numbers. 

The company later discovered that tax documents on PayPal’s online platform contained unmasked consumer information. The vulnerability was sourced back to changes the platform had to make in response to the American Rescue Plan Act in 2022. 

“On December 7, 2022 — one day after the PayPal security analyst saw the online message — PayPal’s cybersecurity team noticed a spike in attempts to access PayPal’s online platform and concluded that threat actors were using credential stuffing to gain access to the [customer information],”” customer information, according to the order. 

The PayPal team quickly made updates that resolved the issue but an investigation revealed the original changes did not go through what the company calls a “Risk and Control Identification Process” due to a clerical error. 

PayPal agreed to pay the $2 million fine, which cannot be covered by cyber insurance, within 10 days of the consent order’s release.

DFS commended PayPal for being forthright about the incident during its investigation and for making concrete changes – including mandating multifactor authentication for all U.S. customer account logins and updating internal operational rules. 

PayPal did not respond to requests for comment. 

There are several dark web forums where thousands of PayPal credentials are sold, despite efforts from law enforcement to shut down the marketplaces and jail those selling the login details

The 34,942 people impacted by the December 2022 breach were given two years of free services from Equifax that include credit monitoring, fraud alerts and identity restoration.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.