PayPal to Settle New York’s Allegations of Cybersecurity Failures

PayPal will pay a $2 million penalty to New York state to settle the state’s allegations that the company had cybersecurity failures that led to a data breach.

New York alleged that PayPal violated the state’s Cybersecurity Regulation by failing to use qualified personnel to manage cybersecurity and by failing to provide adequate training around cybersecurity risks, the New York State Department of Financial Services (DFS) said in a Thursday (Jan. 23) press release.

The state alleged that, because of these cybersecurity failures, cybercriminals were able to use compromised credentials to access IRS Form 1099-Ks, which include Social Security numbers and other sensitive information, when PayPal made changes to existing data flows, according to the release.

“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks,” DFS Superintendent Adrienne A. Harris said in the release.

Reached by PYMNTS, a PayPal spokesperson said in an emailed statement that the company takes its regulatory responsibilities seriously and that protecting consumers’ personal information and maintaining a secure platform is a “top priority.”

“After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022,” the statement said.

The DFS said in its press release that “PayPal has since remediated these issues and improved its cybersecurity practices.”

New York’s Cybersecurity Regulation was the first of its kind in the country when it took effect in March 2017. The regulation requires financial firms to take measures to protect networks and customer data from hackers and to disclose cyber events to state regulators.

Before its implementation, state regulation on the reporting of data breaches was vague, and large organizations tended not to report attacks.

In November, New York penalized auto insurance giants Geico and Travelers after the DFS found that they failed to comply with its Cybersecurity Regulation and the New York State Attorney General found that they failed to implement proper data security controls.

Geico, which had 116,000 customers from New York exposed to cyberattacks, was required to pay $9.75 million. Travelers, which had 4,000 customers exposed, was required to pay $1.55 million.

In October, the DFS released an Industry Letter offering guidance on how to assess cybersecurity risks linked to the use of artificial intelligence within the existing framework of the Cybersecurity Regulation.

The post PayPal to Settle New York’s Allegations of Cybersecurity Failures appeared first on PYMNTS.com.