PayPal was issued a $2 million fine from the state of New York for failing to properly secure customer data.
The New York state department of financial services said the seven-figure payout would be part of a settlement deal stemming from the 2022 data breach that saw some customer Social Security numbers exposed to threat actors.
The state found that PayPal botched the 2022 rollout of a system designed to help account holders access their 1099 income tax forms. As a result of the faulty portal system, users were able to pull up forms of other account holders, which included, among other data, Social Security numbers.
Since Social Security numbers are used to file taxes and obtain official government documents, the breach posed a massive risk for identity theft.
The state’s investigation found that, in addition to the flaws in the application itself, there was an underlying problem in the way PayPal maintained and enforced its policies around secure application development and the handling of customer data.
“The Department’s investigation also revealed that PayPal failed to implement and maintain written policies that address access controls, identity management, and customer data, and failed to use effective controls to protect against unauthorized access to Nonpublic Information or Information Systems,” the DFS explained.
“Notably, the company did not require customers to use multifactor authentication or use controls such as CAPTCHA or rate limiting to help prevent unauthorized access. PayPal has since remediated these issues and improved its cybersecurity practices.”
The fine is the second such data breach penalty doled out by New York state in recent months. In November, state officials fined insurance company Geico a cool $11 million for its failures in securing customer data and handling of breach notifications.
The settlement also comes on the heels of a similar deal between the U.S. government and GoDaddy to settle claims that the domain registrar had fundamental failings in the way its organization stored and handled customers’ personally identifiable information.
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said New York’s Financial Services Superintendent Adrienne Harris.
“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
