SC Media reports that PayPal was ordered by the New York State Department of Financial Services (DFS) to pay $2 million to settle charges of cybersecurity lapses that resulted in a data breach that exposed some of its customers' Social Security numbers in 2022.
Aside from failing to address vulnerabilities impacting its customer portal for accessing 1099 income tax forms rolled out three years ago, PayPal also did not properly adopt and maintain access control, customer data, and identity management policies, said New York DFS, which also noted PayPal's lack of multi-factor authentication mandates during the time of the breach.
"New York's nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions," said Adrienne Harris, superintendent of DFS. "Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks."
