On Tuesday, the New York State Department of Financial Services announced a $2 million settlement with PayPal over violations of the state's cybersecurity regulation related to a December 2022 cyberattack in which the personal information of 34,942 customers was breached.
PayPal had failed to adequately train teams that implemented a change to make IRS Form 1099-K available to more of its customers, according to the settlement. As a result of this lack of training, the teams failed to follow proper procedures before the changes went live, allowing hackers to access the forms, which contained sensitive personal identity data.
The settlement was significant in part because it was the product of close NYDFS scrutiny of the process that the PayPal engineering team in charge of the 1099-K change followed.
The settlement details how the PayPal engineering team had misclassified the change as a platform migration rather than a new capability or feature for an existing product, meaning that no risk and control identification process was conducted prior to the change going live.
This meant that no risk assessment, penetration test or vulnerability scan of the change occurred, and no formal approval was given to launch the 1099-K change. The 1099-K forms PayPal made available to customers contained Social Security numbers, as many such tax forms require, but a credential stuffing attack allowed threat actors to access these forms en masse.
A credential stuffing attack involves taking usernames and passwords from another source — possibly a data breach in which these credentials are leaked — and trying to use them to log in to other services. The attack works when people reuse their passwords for many different logins rather than using a password manager or other method to keep track of unique passwords for each service.
A PayPal security analyst discovered the data breach only after finding a message online that a user was able to access PayPal customers' Social Security numbers by following a link on PayPal's website.
The next day, a credential stuffing attack took place, and PayPal stopped the attack with rate limiting — restricting how often someone can repeat an action like logging into an account — and CAPTCHA (the "Are you a robot?" challenges that involve selecting the images that contain a motorcycle, and the like).
The company also masked the exposed personal information and reset the passwords of affected accounts. This exposed personal information included names, dates of birth, addresses, Social Security numbers, tax IDs and phone numbers.
The order calls on federal agencies to support more forms of digital identity documents and could lead more states to adopt digital driver's licenses.
Following the settlement being announced Thursday, a spokesperson for PayPal said that protecting consumers' personal information and maintaining a secure platform "is a top priority for us and we take our regulatory responsibilities seriously."
"After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022," the spokesperson said.
The investigation by the NYDFS found that PayPal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks.
PayPal failed to implement and maintain written policies that address access controls, identity management and customer data protection, according to the settlement. It also failed to use effective controls to protect against unauthorized access to nonpublic information (i.e., personal identity data).
Prior to the incident, PayPal did not require customers to use multifactor authentication or use controls like CAPTCHA or rate limiting to prevent unauthorized access. The company has since added rate limiting, made multifactor authentication, or MFA, required for all U.S. customer accounts, updated its policies, provided training and improved code monitoring, according to the settlement.
Besides highlighting the oversight that NYDFS is willing to exercise to enforce its cybersecurity regulations, the incident also exhibits the vulnerability of non-MFA-protected accounts to credential stuffing. Companies often cannot prevent users from reusing passwords, and failing to implement rate limiting and MFA often leaves these accounts vulnerable to credential stuffing attacks.
Multifactor authentication is a strong defense against these attacks, and for many financial institutions and fintechs, consumer accounts must include it by default. In particular, NYDFS requires financial services companies in the state to enable multifactor authentication for any account that can access the bank's internal systems and requires a risk assessment to determine whether consumer accounts also need it.
