📁 last Posts

Cybersecurity Lapses Cost PayPal in New York Enforcement Action

Cybersecurity Lapses Cost PayPal in New York Enforcement Action

According to two people aware of the matter, PayPal has settled for a $2 million civil fine for a cybersecurity breach late last year that revealed customers' sensitive information, including Social Security numbers. New York's Department of Financial Services launched an investigation after finding the company didn't have proper security practices in place. PayPal's cyber security protocols proved that serious weaknesses exist and personal data was accessed for multiple weeks.

PayPal Faces $2 Million Fine Over Cybersecurity Breaches in New York

It was found that PayPal had not put in place suitably qualified staff to oversee the service’s key cybersecurity functions. On top of that the company didn’t train its people to mitigate cybersecurity risks, meaning personal information was exposed. For seven weeks, customer data was left exposed to cybercriminals without sufficient protection in these lapses.

The breach also involved the exposure of Social Security numbers — the personal data of an already vulnerable subset of customers — making them at risk if those numbers were compromised. All this points to security gap, which is critical in terms of PayPal’s internal controls and ability to secure the private of users over the world.

Paypal acknowledged its mistakes, and said it fully cooperated with the investigation. The company said in a statement, copies of which were obtained by Reuters, that safeguarding personal information and ensuring a secure platform remain top priorities. The actual pull of these lapses will occur later when the bad reputation and trust with customers will also get slapped to.

As a general warning to other companies, this enforcement action warns all companies to operate under good cybersecurity practices and to comply with regulatory requirements. Since data is the most valuable asset for a cybercriminal, businesses need to take investment in aiding the necessary resources and educating the staff to protect their customers' information.

PayPal Cybersecurity Breach Linked to Credential Stuffing Attack

On December 6, lengthly.in, a security analyst, discovered that PayPal’s cybersecurity breach exposed sensitive customer data, when an online message was found that said 'PP EXPOSIT TO GET SSN.’ So this alarming message spooked PayPal enough to act immediately, with its cybersecurity team identifying a spike in attempts to log into the platform the next day. After investigation, they found that cybercriminals had carried out a so-called 'credential stuffing' attack and accessed sensitive federal tax forms without authorization.

In this case, the method used was credential stuffing, or using stolen login credentials from other data breaches to try to login to accounts. This technique was used by cybercriminals to look through tax form files containing Social Security numbers and other personal information for tens of thousands of customers, according to the letter. The consequences of reusing credentials, especially for sensitive data, is the breach brings to light.

PayPal had apparently made changes to its data flows based on the idea that the federally required tax forms are more easily viewable by more consumers. Unfortunately these adjustments inadvertently created new security gaps that attackers exploited. As a result, the company's attempt to better secure its accessibility was greased for hackers to breach its defense.

As a result of the breach, unfortunately some customer data has been exposed and as soon as we became aware, we took immediate action to remedy the security flaws and prevent more of it from being exposed. In response, the platform’s safety was built out and the company’s cybersecurity team worked to mitigate the impact. But the incident prompted questions about PayPal’s security, given the sensitivity of the data that was thus exposed.

This is just a sharp reminder that strong cyber security protocols are necessary as well as the risks involved with making system changes without proper security reviews. That makes it all the more important for companies to allocate some balance between accessibility and security, without opening up vulnerabilities to user privacy or data protection through clumsy contortions of data flows or platform features.

PayPal Faces Fine for Failing to Implement Key Cybersecurity Measures

PayPal also did not use essential cybersecurity measures, including multifactor authentication and CAPTCHA, that may have thwarted unauthorized access to the customer accounts, New York’s financial services superintendent, Adrienne Harris, said. These lapses in security were hard to argue against, making the company responsible for a $2 million fine. When PayPal failed to implement these controls, customer data was open to attack, Harris noted.

The fine was for PayPal violating a cybersecurity regulation introduced by the New York Department of Financial Services in 2017. This regulation is a regulatory obligation for companies that process sensitive data processed. As a result of PayPal’s failure to comply with these standards, customer information was exposed and made the subject of the enforcement action.

However, after the breach, PayPal has made some changes to its cybersecurity practices. Now the company needs all U.S. customer accounts to use multifactor authentication (MFA) to further strengthen the protection from unauthorized access. MFA (multi factor authentication) is the concept where a user has to provide 2 or more verification factors to prove themselves as a user, making it harder for a bad actor even if they compromised your credentials.

And PayPal has also forced password resets on all affected accounts and added CAPTCHA to cut off automated bots who act so easily with customer data. Both these measures are meant to make security better and thereby reduce chances of such other breaches; matching the company’s practices to the regulatory requirements. The steps taken are logically to fix the vulnerabilities identified during the investigation.

While these enhancements are certainly positive developments, the breach highlights how much there is still work to be done on the part of companies when it comes to protecting their customers data. As cyber threats keep evolving, businesses always need to up their game by updating their security practice at all times to avoid any risks headed their way. The PayPal incident is a good reminder that the laws of cybersecurity should be followed and that robust protective measures should be laid.

Achaoui Rachid
Achaoui Rachid
Hello, I'm Rachid Achaoui. I am a fan of technology, sports and looking for new things very interested in the field of IPTV. We welcome everyone. If you like what I offer you can support me on PayPal: https://paypal.me/taghdoutelive Communicate with me via WhatsApp : ⁦+212 695-572901
Comments