In late January, the New York State Department of Financial Services (“NYDFS”) announced that it had reached a $2 million settlement with PayPal, Inc. after an NYDFS investigation revealed that a December 2022 data breach which led to the exposure of consumers’ sensitive personal information was the result of the company’s failure to follow its own cybersecurity policies and procedures. The alleged violations included PayPal’s failure to use qualified personnel to perform key cybersecurity functions and its use of teams that were inadequately trained on PayPal’s systems and application development processes, in violation of the NYDFS Cybersecurity Regulation.
Before the breach occurred, PayPal’s cybersecurity team had updated its network to make IRS Forms 1099-K (forms that include customers’ names, dates of birth, and full SSNs) available online to its customers who were newly eligible to receive them per updated IRS requirements. Shortly after the Forms 1099-K went live on PayPal’s platform, threat actors used compromised accounts to gain access to unmasked nonpublic information (“NPI”) resulting in the compromise of tens of thousands of consumers’ sensitive information.
According to NYDFS investigators, the PayPal engineers tasked with implementing the Form 1099-K change misclassified the type of network change that was a occurring as the result of inadequate training on PayPal’s policies and procedures for deploying code. The misclassification caused the team not to conduct a Risk and Control Identification Process (“RCIP”) as PayPal’s policies and procedures required, which would have included a risk assessment, network vulnerability testing, and the implementation of other safeguards before the Form 1099-K change went live. NYDFS investigators also determined that PayPal failed to implement and maintain written policies and procedures to address access controls, identity management, and customer data privacy, and failed to implement effective controls to protect against unauthorized access to NPI.
According to the consent order, the NYDFS imposed a $2 million penalty after considering various factors, including the company’s “commendable” cooperation with investigators and PayPal’s efforts to address identified vulnerabilities, including the remedial efforts taken when the data breach was first discovered.