PayPal Settles $2 Million Cybersecurity Case Over 2022 Data Breach

PayPal, Inc. has agreed to pay a $2 million penalty to New York State after an investigation by the Department of Financial Services (DFS) uncovered violations of its Cybersecurity Regulation. The breach, which occurred between December 6 and 8, 2022, exposed sensitive customer data, including Social Security numbers and tax identification details, through a series of credential-stuffing attacks.

DFS attributed the breach to multiple security lapses, such as PayPal’s failure to implement robust access controls, enforce multi-factor authentication (MFA), and train its personnel on secure application development processes. The breach was exacerbated by PayPal’s flawed implementation of updates to distribute IRS Form 1099-Ks, which cybercriminals exploited to access customer data.

Although PayPal has since remediated these issues—introducing MFA, CAPTCHA, and rate-limiting features—the violations highlight the importance of strict adherence to cybersecurity regulations. This settlement reinforces the critical role of qualified personnel, proper training, and effective security controls in protecting customer data.

The settlement requires PayPal to pay the fine within 10 days. DFS emphasized the importance of New York’s cybersecurity regulations, which have been in effect since 2017, as a benchmark for protecting sensitive information in financial institutions.