ホーム / PayPal was fined $2 million due to security issues.
PayPal was fined $2 million due to security issues.
2025/01/24 23:52:58
PayPal was fined $2 million by DFS for a 2022 data breach due to cybersecurity issues. The vulnerability exposed personal information of many customers. DFS discovered major problems with PayPal's cybersecurity methods, including inadequate personnel and training. A security breakpoint exploited vulnerabilities caused by changes made to improve access to IRS Form 1099-Ks. Hackers used Credential Stuffing to gain access. DFS found that PayPal's security was insufficient, lacking rules for access management and customer data protection. PayPal addressed and fixed the issues, improving cybersecurity practices.
PayPal was fined $2 million by the Department of Financial Services (DFS) in New York for a data breach that occurred in December 2022. This fine was due to cybersecurity issues. This vulnerability led to the exposure of personal information of many customers, including social security numbers, email addresses, and names. DFS investigation discovered major problems with PayPal's cybersecurity methods. The company did not hire qualified personnel for important cybersecurity roles and did not provide sufficient training to reduce cybersecurity risks. These issues were directly related to cybersecurity vulnerabilities. Indeed, companies generally do not bear responsibility when hacking occurs. However, if a company does not confirm that it is protecting itself, it may expose users to risk. A security breakpoint was introduced, which exploited a vulnerability caused by changes made to improve access to IRS Form 1099-Ks for customers. The team making these changes lacked sufficient training on PayPal's systems and application development, leading to errors. Hackers used Credential Stuffing, a method of trying combinations of login information, to gain access. They tried many login details until one worked. If login information is stolen, it can grant access to forms containing private customer information. DFS found that PayPal's security was insufficient, enabling credential fraud attacks. The investigation revealed that PayPal lacked written rules for access management, identity management, and customer data protection. Moreover, PayPal did not implement effective countermeasures such as multi-factor authentication, CAPTCHA, or limits on login attempts. While the $2 million fine may seem small compared to large companies, a more effective punishment would have been to publicly disclose how dangerous Parallels is. This would have demonstrated the seriousness of the company's cybersecurity issues. PayPal clearly addressed and fixed the problems found, improving cybersecurity practices. These changes aim to prevent similar issues from recurring.
