By Jonathan Stempel
NEW YORK (Reuters) -PayPal will pay a $2 million civil fine over cybersecurity failures that led to the exposure of customers’ Social Security numbers in late 2022, New York state’s Department of Financial Services said on Thursday.
Adrienne Harris, New York’s financial services superintendent, said a probe by her office found PayPal (NASDAQ:PYPL) failed to use qualified staff to manage key cybersecurity functions or provide adequate training to address cybersecurity risks.
She said this left names, dates of birth and Social Security numbers belonging to customers of the San Jose, California-based digital payments company easily accessible to cybercriminals for about seven weeks.
PayPal cooperated with the probe. It did not immediately respond to requests for comment.
According to a consent order, PayPal discovered the problem after a security analyst on Dec. 6, 2022 read an online message that said “PP EXPLOIT TO GET SSN.”
The next day, PayPal’s cybersecurity team saw a spike in attempts to access its online platform, and determined that cybercriminals were using “credential stuffing” to view federal tax forms for tens of thousands of customers.
Data were exposed after PayPal made changes to existing data flows so it could make the forms available to more customers.
Harris also faulted PayPal for not requiring customers to use multifactor authentication or controls such as CAPTCHA to prevent unauthorized access.
The fine was for violating the financial services department’s cybersecurity regulation, adopted in 2017.
PayPal has upgraded its security, including by implementing CAPTCHA, the consent order said.