On January 23rd, The New York State Department of Financial Services agreed a $2 million settlement with PayPal regarding a data breach dating back to 2022. The incident potentially exposed the sensitive information of PayPal users, including names, birth dates, addresses, individual tax identification numbers, and Social Security numbers, and breached the state’s cybersecurity regulations. NYDFS held that they were in violation of 23 NCYRR Part 500, a cybersecurity regulation that requires financial services providers to use effective controls to prevent unauthorized access to consumers’ protected information.
According to the Consent Order published by The New York State Department of Financial Services, the incident arose as PayPal attempted to adapt to regulatory changes requiring them to send form 1099-K to a substantially larger group of users than in the past. Form 1099-K, which reports the volume of online payment transactions to the IRS, includes sensitive information including users’ Social Security Numbers (SSN).
Normally, while the IRS receives the full SSN, the version of the form that users see should have the SSN masked—typically showing only the last four digits. However, due to an error by PayPal engineers during the implementation process, the forms were incorrectly processed. As a result, users were able to download versions of the form that displayed complete SSNs.
This vulnerability did not go unnoticed by threat actors. They began targeting PayPal user accounts through "credential stuffing"—a method where stolen passwords, reused across different sites, are leveraged to gain unauthorized access. The attackers' goal was to download users' 1099-K forms and obtain their SSNs, potentially leading to identity theft activities such as opening credit cards in the victims' names. Since 1099-K filings are required by the IRS for certain entities receiving payments, this exposed a large number of entities to this threat.
This situation was further aggravated by the lack of other security measures, such as the lack of robust multi-factor authentication (MFA) or CAPTCHA systems for customer logins, making it significantly easier and faster for attackers to compromise user accounts.
How Bedrock Could Have HelpedThis incident highlights the critical importance of comprehensive data handling practices. One approach PayPal could have taken is to implement a data security and management platform, such as Bedrock Security. With Bedrock’s proactive approach, it would have been easier to alert users and help in the awareness of critical issues that violated Paypal’s own security and compliance policies. In this case, PayPal would have been able to rapidly develop insights from the Bedrock Metadata Lake, which stores data discovered and classified by the Bedrock platform for processes including complete entitlement chain analysis of human and non-human identities. |
|
Additionally, PayPal could have set a policy to prevent SSNs from being accessible by front-end web applications, which have no business displaying full SSNs and present a substantial liability if compromised. Our platform would have been invaluable in monitoring data security compliance, automatically alerting PayPal’s security team if unmasked SSNs were detected in any unauthorized or unexpected locations. And while PayPal could have undertaken a custom and tedious set of tools and implemented and maintained a set of rules, it would have been difficult to ensure coverage and accuracy as data, systems, and user roles changed.
Given that there was approximately a 1.5-month window from when the error occurred to when attackers began exploiting the breach, having this kind of proactive monitoring could have allowed PayPal's security team enough time to identify and correct the error before any real damage could be done. Such preventive measures could have potentially not only saved PayPal settlement fees but potentially also spared them the considerable negative publicity that followed the breach.
Implementing robust data security policies and the tools to enforce them ensures that vulnerabilities can be addressed promptly, greatly reducing the likelihood of a successful attack. PayPal’s unfortunate incident highlights the need for all businesses to review their data security and management systems as a matter of urgency and upgrade them if necessary.