PayPal
Editorial credit: thetahoeguy / Shutterstock.com

The New York State Department of Financial Services (DFS) has charged PayPal a US$2m penalty for failing to maintain the state’s strict cybersecurity regulations.

The DFS states that the firm did not use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity failures.

As a result, social security numbers (SSNs) and other sensitive customer information were s left unredacted and ‘easily accessible to cybercriminals’. The DFS adds that the firm failed to implement and maintain written politics addressing access controls, identity management and customer data.

It also failed to use controls against unauthorised access to Nonpublic Information or Information Systems. The firm did not require customers to use multifactor authentication, rate limiting, or controls like CAPTCHA to prevent unauthorised access, which was of particular significance to DFS.

Adrienne A. Harris, DFS Superintendent, said: “New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions.

“Qualified cybersecurity personnel are the first line of defence against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”

Cybersecurity has become a big talking point in payments across a number of prominent markets. The increasing digitisation of the sector, the use of AI by fraudsters and cybercriminals, as well as the emergence of blockchain and cryptocurrency have made this ever more important.

Across the Atlantic, in the EU, the Digital Operational Resilience Act (DORA) came into force this month. The Act puts a range of cybersecurity requirements on businesses, including financial institutions and related companies.

Incidents like the 2024 CrowdStrike outage and the hacking attacks against Santander and Ticketmaster last year have led to a significant onus being placed on cybersecurity. Regulators and consumers want reassurance that payment details are kept securely.

“What incidents like this highlight is the importance of shared responsibility,” says Fadl Mantash, Chief Information Security Officer at paytech company Tribe Payments. “Businesses can’t just assume their providers have everything covered; they need to have their own contingency plans in place.”

Back in the US, in PayPal’s case, the DFS notes that the company has rectified all of the abovementioned cybersecurity issues. The regulator states that the failures occurred after PayPal made changes to data flows to make IRS Form 1099-Ks available to more of its customers.

The teams tasked with making these changes were not trained on the firm’s systems and application development processes and as a result, did not follow proper procedures when the changes went live. The DFS states that this subsequently exposed PayPal customer’s data to cybercriminals.