Excerpt from PYMNTS Article, Published on Jan 23, 2025.
PayPal has agreed to pay a $2 million fine to New York State to resolve allegations of cybersecurity failures that led to a data breach. The New York State Department of Financial Services (DFS) announced the settlement on January 23, citing violations of the state’s Cybersecurity Regulation. The DFS alleged that PayPal failed to employ qualified personnel to oversee its cybersecurity operations and did not provide sufficient training on cybersecurity risks. These shortcomings reportedly allowed cybercriminals to exploit compromised credentials, gaining access to IRS Form 1099-Ks that contain Social Security numbers and other sensitive information. The breach occurred in December 2022 when changes were made to existing data flows.
“Qualified cybersecurity personnel are the first line of defense against potential data breaches,” said DFS Superintendent Adrienne A. Harris. “Proper training and implementation of robust cybersecurity policies are vital for protecting sensitive data and mitigating risks.” PayPal, in an emailed statement, emphasized its commitment to regulatory compliance and data protection. The company said it self-reported the incident and worked closely with the DFS to address the issue. It has since improved its cybersecurity measures to prevent future breaches. New York’s Cybersecurity Regulation, implemented in March 2017, was the first of its kind in the United States, requiring financial firms to protect networks and customer data while reporting cyber incidents. Before its introduction, organizations often lacked clear guidance on data breach reporting.
This settlement follows other recent DFS actions, including penalties against Geico and Travelers in 2024 for cybersecurity violations. Geico paid $9.75 million after exposing data of 116,000 New York customers, while Travelers paid $1.55 million for exposing 4,000 customers. The PayPal settlement underscores the critical importance of adhering to New York’s stringent cybersecurity standards to protect sensitive consumer data.
To delve deeper into this topic, please read the full article PYMNTS.
