TIO Networks’ security glitch alters PayPal’s plans

PayPal wants to be ubiquitous, but its plan to add tens of millions of unbanked and underbanked consumers to its network through its $238 million acquisition of TIO Networks is currently on ice.

PayPal's goal was to integrate TIO Networks’ 14 million consumers with PayPal’s network, giving consumers who typically pay bills in cash the ability to transfer those funds into a digital network, significantly increasing convenience and payment options, according to recent information from PayPal executives.

“Over the course of the next year, we plan to fully integrate TIO into the PayPal experience, making it easier for people to move and manage their money digitally,” said Hamed Shahbazi, vice president of bill pay at PayPal, in a September email discussing the company’s strategy for TIO. PayPal closed the acquisition of the Canadian company in July.

David Paul Morris/Bloomberg

But those plans were altered last month when TIO’s services were abruptly frozen due to a suspected security glitch. On Dec. 1 PayPal confirmed that data from up to 1.6 million TIO customers may have been exposed, including personally identifiable information (PII) or financial data.

“There is no integration work taking place and the platforms remain separate,” PayPal spokesman Justin Higgs said on Monday, emphasizing that TIO services will not be fully restored until PayPal is confident in the security of the TIO systems and network.

“Our priority at this time is completing the ongoing investigation, implementing security practices and protocols at TIO that are on par with PayPal’s information security standards,” Higgs said.

The latest developments underscore the challenge growing data risks present for payment companies and for knitting disparate systems together to enable digital transactions.

One result of the recent spate of broad consumer data breaches—capped by the massive Equifax data breach in September— is a growing sense of transparency and accountability for the effects of data crises, experts say.

“Announcements like PayPal’s about their acquired entity TIO being breached are going to become common—and that’s a good thing,” said Jonathan Sander, chief technology officer of Stealthbits Technologies, a data security firm in Hawthorne, N.J. “In a sense, we are entering an era where only brands that are well trusted will be able to talk about security openly, the way PayPal has here. … PayPal knows it will actually come out ahead in the reputation calculus for telling us about the problems at TIO,” Sander said.

Sander noted that Uber recently disclosed that top executives tried to hide details about its own data security breach, an approach that backfired and has been widely condemned.

“PayPal has always been a very security-first organization, so it’s not surprising they decided to handle TIO’s incident this way,” Sander said.

What remains unknown is how long TIO will be out of service. On its website TIO says it cannot provide a timeline for restoring bill pay services, and recommends that customers contact billers to seek to identify alternative ways to pay their bills.

TIO’s rivals include PayNearMe, which provides walk-in bill payments through thousands of U.S. retail stores including 7-Eleven and CVS.

ACI Worldwide also provides consumer bill payment services; other competitors include New York-based Bango and India-based Obopay.