The New York State Department of Financial Services (NYDFS) fined PayPal $2 million for failing to meet its cybersecurity standards, following a data breach in December 2022. The breach exposed sensitive customer information, including Social Security numbers and names, after PayPal made changes to data flows for IRS Form 1099-Ks without proper risk assessments. Hackers exploited vulnerabilities through a credential stuffing attack, compromising around 35,000 accounts. The NYDFS investigation found multiple violations, including unqualified cybersecurity staff, lack of training, weak access controls, and inadequate policies. PayPal has since taken steps to address the issue, including implementing stronger security measures and training, but this incident highlights the importance of robust cybersecurity practices for financial institutions. Continue here.
