PayPal, Inc., a prominent player in the financial technology sector, has consented to pay a $2 million fine to the State of New York due to a cybersecurity incident that compromised sensitive customer data, including Social Security numbers.

The settlement was revealed by Superintendent Adrienne A. Harris of the New York State Department of Financial Services (DFS), which identified breaches of the state's Cybersecurity Regulation. The DFS's investigation determined that PayPal did not employ adequately trained staff for essential cybersecurity functions and lacked sufficient preparation for its employees to manage cybersecurity threats. These deficiencies resulted in vulnerabilities that permitted cybercriminals to access unredacted customer information via IRS Form 1099-Ks.

“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” Harris said. “Qualified cybersecurity personnel and properly implemented policies are essential in protecting sensitive information and mitigating risks.”

The issues for PayPal arose when it modified its data systems to increase the accessibility of Form 1099-Ks. The teams tasked with these changes reportedly lacked training on PayPal’s internal systems and did not adhere to necessary protocols. This lapse allowed malicious actors with compromised credentials to access forms that contained customers’ Social Security numbers and other sensitive data.

Additionally, the DFS identified broader weaknesses in PayPal’s cybersecurity measures. The company had not established written policies for access controls or identity management and failed to implement effective protections, such as multifactor authentication and tools like CAPTCHA, to prevent unauthorized access. PayPal has since taken steps to rectify these vulnerabilities and improve its cybersecurity practices.

New York's Cybersecurity Regulation, established in 2017, received an update in November 2023 aimed at enhancing the protection of consumer data. Harris highlighted the necessity for companies to consistently evolve and implement strong cybersecurity protocols to avert incidents of this nature.

The consent order outlining the settlement can be accessed on the DFS website.