By Rick Steves
January 24, 2025
The New York State Department of Financial Services (NYDFS) has imposed a $2 million penalty on PayPal for failing to meet cybersecurity requirements.
The violations resulted in sensitive customer data, including Social Security Numbers (SSNs), being exposed to cybercriminals.
PayPal users’ Social Security Numbers (SSNs) exposed to hackers
The NYDFS investigation revealed that PayPal failed to employ qualified personnel to manage key cybersecurity functions. Additionally, the company did not provide adequate training to its teams. These failures occurred during the implementation of changes designed to make IRS Form 1099-Ks available to a larger customer base. Teams implementing the changes lacked training on PayPal’s systems and application development processes, leading to errors that compromised customer data.
PayPal’s failure to follow proper procedures resulted in cybercriminals accessing Form 1099-Ks containing sensitive information, including SSNs. The company also failed to implement written policies addressing access controls, identity management, and customer data protection. Controls such as multifactor authentication, CAPTCHA, and rate limiting were not employed, increasing the risk of unauthorized access.
The NYDFS cited PayPal’s lack of effective controls to safeguard nonpublic information and its information systems. The department noted that PayPal has since remediated the issues and improved its cybersecurity practices. These changes align with the NYDFS Cybersecurity Regulation, which has been in effect since March 2017 and was recently amended in November 2023.
“Cybersecurity personnel are the first line of defense against potential data breaches”
Adrienne A. Harris, Superintendent of Financial Services, said: “New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions. Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
The NYDFS regulation emphasizes the importance of cybersecurity personnel, comprehensive training, and the implementation of robust policies to protect consumer data. Superintendent Harris reiterated the department’s commitment to enforcing these standards and ensuring the resilience of financial institutions.
The penalty against PayPal is part of the NYDFS’s ongoing efforts to enforce its cybersecurity regulations. The department aims to strengthen the industry’s defenses against cyber threats and ensure compliance with state-mandated standards. PayPal’s settlement highlights the importance of adhering to cybersecurity requirements to protect customer data and maintain trust in the financial services sector.The NYDFS will continue to monitor compliance with its cybersecurity regulations and take action against institutions failing to meet the required standards. The department’s goal is to create a secure financial environment that safeguards consumer data and promotes resilience in tce of evolvinhe fag cyber threats.
No comments:
Post a Comment