Introduction
On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision. The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems. As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.
Summary of the PayPal Enforcement Decision
The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500. These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.
The Incident
The Department’s investigation into PayPal’s cybersecurity practices was triggered by a cybersecurity incident that occurred in December 2022. Due to changes in federal tax laws, PayPal amended its systems to provide more customers with “Form 1099-Ks,” which contain sensitive information such as Social Security Numbers (SSNs), names, and dates of birth. One day after the new system was implemented, threat actors exploited a vulnerability allowing them to gain unauthorized access to accounts through a “credential-stuffing” scheme. Once in the account, they were able to access unmasked (i.e., not encrypted, anonymized or otherwise shielded from view) customer data contained in the Form 1099-Ks. PayPal stopped the attack by adding CAPTCHA and rate-limiting and remediated the harm by masking the data and enforcing account resets on impacted accounts.
The Cause of the Incident & NY DFS Cybersecurity Violations
NY DFS concluded that the incident was caused by a combination of factors. Although PayPal had an existing policy (the “Risk and Control Identification Process”) designed to ensure that they analyze and test any product changes for cybersecurity vulnerabilities, the team implementing the 1099-K change was not adequately trained on the application of this policy. As a result, they misclassified the change, and no analysis or testing under the policy was performed on the new 1099-K process, which might have identified that the data was unmasked and that a security vulnerability existed that provided unauthorized access. Additionally, although PayPal had a policy that all account information be protected through “risk-based authentication,” the company permitted multi-factor authentication (MFA) to be optional for accounts. Mandatory MFA would have frustrated the ability to gain access to accounts by the threat actors.
NY DFS identified three key violations of the Cybersecurity Regulations, alleging the following:
- Inadequate Implementation of Cybersecurity Policies: PayPal failed to properly implement its own cybersecurity policies and procedures, particularly those related to access controls, identity management, and customer data privacy, in violation of 23 NYCRR §§ 500.3(d), (i), and (k).
- Unqualified Cybersecurity Personnel: PayPal did not utilize qualified cybersecurity personnel to oversee and perform core cybersecurity functions, nor did it provide adequate training to its personnel, in violation of 23 NYCRR § 500.10(a).
- Ineffective Access Controls: PayPal failed to use effective controls, such as mandatory Multi-Factor Authentication (MFA), to prevent unauthorized access to NPI, as required by 23 NYCRR § 500.12(a).
PayPal’s Fine and Remediation
To resolve the matter. PayPal agreed to pay a $2 million fine and implement several remedial measures, including the following:
- Masking exposed NPI and implementing CAPTCHA to prevent automated account access.
- Updating policies to ensure clarity on when Risk and Control Identification Process (RCIP) applies.
- Providing comprehensive training to its engineering team on deploying code and enforcing RCIP.
- Requiring MFA for all U.S. customer account logins.
Notably, NY DFS identified PayPal’s cooperation during the investigation and efforts to promptly remediate the identified issues as important factors in their settlement decision.
Takeaways
Several lessons can be learned from this action:
Paper Compliance vs. Effective Compliance
The enforcement action against PayPal underscores the critical importance of not just creating, but effectively implementing and maintaining comprehensive cybersecurity policies and procedures that are consistent with the expectations of your regulator. Although PayPal had an existing cybersecurity policy, the failure by the relevant employees to follow that policy effectively rendered its protections irrelevant. Entities must ensure not only that they have written thoughtful, risk-based cybersecurity policies, but that their employees are properly trained and consistently follow those policies in their daily work.
Training Qualified Cybersecurity Personnel
The case highlights how simple user error—in this case incorrectly designating the type of work being conducted—can lead to a serious cybersecurity incident. Rigorous and continuous training for staff on the cybersecurity policies relevant to their job is the best defense against human error like what occurred here. Additionally, employing competent cybersecurity personnel in supervisory roles may also help “issue-spot” errors by employees who are not as familiar with proper data handling and effective cybersecurity practices.
Implementation of Effective Access Controls
The failure to use mandatory MFA was a significant factor in the unauthorized access to PayPal’s systems. Financial institutions should prioritize the implementation of effective access controls, such as MFA, to safeguard sensitive consumer information and prevent unauthorized access.
Timely and Proactive Remediation
PayPal’s prompt response to the cybersecurity event, including masking exposed NPI and enforcing CAPTCHA, demonstrates the importance of timely and proactive remediation efforts. Organizations must be prepared to act swiftly in the event of a cybersecurity incident to mitigate potential damage, restore security, and maintain or gain credibility with government regulators and investigators.
Cooperation with Regulatory Authorities
Although the details are limited, NY DFS’s discussion of PayPal’s “commendable cooperation” indicates that efforts to work closely with the regulator likely led to a more favorable settlement than might otherwise have occurred. Companies should evaluate, both as a general policy and after a particular cybersecurity incident, how they will approach an investigation by a regulator like NY DFS to ensure they receive credit for cooperation.
