🔒 Settlement Announced
PayPal has agreed to pay $2M to settle charges by the New York Department of Financial Services (NYDFS). The case involved the exposure of sensitive customer data, including Social Security numbers. The breach occurred in 2022 when PayPal updated its data flows to roll out new features. However, the teams implementing the updates were untrained, leading to critical cybersecurity gaps.
📉 Cybersecurity Failures
The NYDFS investigation found PayPal lacked skilled staff for managing cybersecurity. Teams failed to follow internal procedures during the update, allowing cybercriminals to exploit exposed credentials. As a result, forms containing sensitive data were compromised. NYDFS emphasized the importance of proper training and oversight in its report.
📅 What PayPal Did Next
PayPal self-reported the issue in late 2022 and has since overhauled its cybersecurity protocols. The company implemented stricter training programs and hired specialized teams to ensure such breaches do not happen again. NYDFS acknowledged these improvements in its statement announcing the settlement.
🛠️ Broader Context
This is not the first fintech facing regulatory fines. Earlier, Block was fined $255M over anti-money laundering failures linked to its Cash App. Meanwhile, PayPal continues expanding, recently launching group payment features in the U.S. and Europe. The company is also working on NFC-based payments for iPhone users in the EU, leveraging Apple’s newly opened APIs.
Should fintechs face stricter penalties for security breaches?
