
PayPal has agreed to pay a 2 million$ fine after it was revealed that customer data, including social security numbers, was compromised due to poor cybersecurity measures. The incident occurred as a result of poor cyber threat management.
The New York State Department of Financial Services imposed the fine after investigating the company’s failure to provide adequate cybersecurity. The data leak included the names, dates of birth and social security numbers of PayPal customers. The incident lasted about seven weeks and was attributed to inadequate staff qualifications and a lack of required cybersecurity training. The company also did not use multi-factor authentication, or CAPTCHA, to prevent unauthorized access, according to CFO Adrienne Harris.
The investigation found that the breach occurred after PayPal made changes to its data flow to give customers better access to tax forms. Following the incident, the company forced passwords on affected accounts to be changed, implemented multi-factor authentication for all customers in the U.S., and added CAPTCHAs to protect accounts. In a statement, PayPal said that protecting customers’ personal information is a top priority.
The fine was imposed for violating cybersecurity rules adopted by the New York State Department of Financial Services in 2017. While this is not the first time a major financial company has faced such problems, the PayPal case is a reminder to the industry of the importance of proper risk management. Properly protecting customer data, regularly training employees, and implementing the latest security technologies should become commonplace for companies that handle information.