Privacy & Information Security Law Blog

On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information. 

According to the consent order, in December 2022, a PayPal security analyst identified an online post describing a security gap that allowed unauthorized parties to access Forms 1099-K available on PayPal’s online platform. The forms contained PayPal customers’ unredacted personal information, including names, dates of birth and full Social Security numbers. One day after the analyst identified the issue, PayPal’s cybersecurity team noticed activity indicative of threat actors using credential stuffing to gain access to the personal information contained in the forms.

According to NYDFS, the data became exposed when PayPal changed its data flows to make the forms available to more customers. NYDFS alleged that PayPal failed to adequately train the engineering team implementing this change to implement the company’s policies and procedures designed to protect personal information with respect to the updated data flows. NYDFS also alleged that PayPal’s failure to mandate multi-factor authentication for customer accounts contributed to the unauthorized parties’ ability to access the forms.

NYDFS charged PayPal with violations of the NYDFS Cybersecurity Regulation, including the failure to provide sufficient cybersecurity training to personnel and to maintain adequate cybersecurity policies designed to protect nonpublic information, resulting in a $2 million fine against the company. The consent order notes that PayPal had cooperated with NYDFS’s investigation and implemented several corrective measures, including mandating multi-factor authentication and conducting enhanced training programs for its cybersecurity personnel and engineers.