- PayPal has been fined 2 million dollars for cybersecurity failures
- Fine of the Department of Financial Services of the State of New York after a data violation in 2022
- DFS says that PayPal did not properly train workers on security practices
New York regulators imposed a fine of 2 million dollars into the Giant of PayPal Financial Services for cybersecurity failures that presented personal identification information (PII) of tens of thousands of customers.
The infraction, which occurred in December 2022, committed social security numbers, email addresses and user names.
The fine, imposed by the Department of Financial Services (DFS) of the State of New York, arises after investigation into deficiencies in cybersecurity practices before the infraction. The DFS determined that PayPal did not use “qualified personnel” to manage key cybersecurity functions and did not provide adequate training to address cybersecurity risks.
Do not follow the procedure
The investigation found that these failures allowed the violation of 2022, in which the computer pirates used a technique called “credential filling”, where the attackers “fill” login pages with numerous credentials taken from other places until finally a works.
Customer data were exposed after PayPal made changes to data flows so that IRS form 1099-KS was available for more customers. When doing this, the teams that implemented the changes were not properly trained in PayPal’s application development systems and processes.
Due to this, DFS determined that employees “did not follow the appropriate procedures” when the changes were made, which allowed cybercriminals to exploit the credentials exposed to access the forms, which then compromised the confidential data of the clients.
“The regulation of leading cybersecurity at the national level of New York establishes a critical standard to safeguard consumers data and strengthen the resilience of financial institutions,” said Superintendent Adrienne A.Harris in a statement.
“Cybersecurity qualified personnel is the first line of defense against possible data violations, and provide adequate training and effective implementation of cybersecurity policies and procedures are vital steps to protect confidential data and mitigate risks.”
Apart from the immediate danger of access to the account, the exposed personal information puts customers at risk of identity theft, so consult our recommendations to obtain the best protection against identity theft if you think it could be exposed.
