© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

PayPal fined for $2 million for exposing social security numbers


New York state’s Department of Financial Services has ordered PayPal to pay a $2 million fine for the exposure of customers’ social security numbers due to faulty cybersecurity measures.

PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers.

However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live. This allowed cybercriminals to leverage compromised credentials to access Form 1099-Ks, which included sensitive customer data.

Adrienne Harris, New York’s financial services superintendent, said on Thursday that an investigation by her office found that PayPal had inadequately implemented key cybersecurity measures, and hadn’t provided adequate training to its employees to mitigate cybersecurity risks.

This left sensitive customers’ personal information easily accessible to hackers and other threat actors for seven weeks, including full names, dates of birth, and social security numbers.

Furthermore, Harris blames PayPal for not implementing multi-factor authentication for customers to better protect their personal information and prevent unauthorized access, or for implementing CAPTCHA to detect abusive traffic on their website.

“The Department’s investigation also revealed that PayPal failed to implement and maintain written policies that address access controls, identity management, and customer data, and failed to use effective controls to protect against unauthorized access to Nonpublic Information or Information Systems,” New York state’s Department of Financial Services says in a press release.

“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions. Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks,” Harris said in a statement.

According to Reuters, PayPal discovered the problem after a security analyst read an online message saying “PP EXPLOIT TO GET SSN”.

The next day, the financial service provider noticed unusual network activity on its platform. It was determined that hackers were performing credential stuffing attacks in order to access the company’s internal computer network and view federal tax forms for tens of thousands of customers.

PayPal has since remediated these issues and improved its cybersecurity practices.


Leave a Reply

Your email address will not be published. Required fields are marked