PayPal Fined $2 Million for Violations of Cybersecurity Regulation
PayPal must pay a $2 million penalty to New York for violating elements of the state's Department of Financial Service’s Cybersecurity Regulation, announced the department's Superintendent Adrienne Harris on Thursday. An investigation found that the financial technology company employed unqualified personnel to manage key cybersecurity functions. In addition, it didn't provide proper training in addressing cybersecurity risks, prompting sensitive customer information to be accessible to cybercriminals, the department said.
Sign up for a free preview to unlock the rest of this article
“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks,” Harris said.
Sensitive customer information exposed included social security numbers, which were revealed after PayPal implemented changes to data flows by people not trained on the company's systems, so proper procedures were not followed, the department said. Additionally, the investigation revealed that written policies addressing things like access controls and customer data were not implemented or maintained, Harris said.
“Protecting consumers’ personal information and maintaining a secure platform is a top priority for us, and we take our regulatory responsibilities seriously,” said PayPal in an emailed statement. “After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022.”