PayPal has agreed to pay $2 million to settle charges by the New York State Department of Financial Services (NYDFS) over cybersecurity lapses that exposed customers’ Social Security numbers.

An investigation by the NYDFS found that the company failed to assign qualified personnel to manage critical cybersecurity tasks and did not provide adequate training to address potential cyber risks.

The data breach occurred when PayPal expanded access to IRS Form 1099-Ks for more customers by modifying existing data flows. However, the teams responsible for implementing these changes were not properly trained on PayPal’s systems or application development protocols. This oversight led to improper procedures being followed, enabling cybercriminals to exploit compromised credentials to access the tax forms, which contained sensitive customer data, including Social Security numbers.

PayPal identified the breach in late 2022 and promptly reported it to authorities. Since then, the company has resolved the issues and strengthened its cybersecurity measures, according to the NYDFS. The settlement underscores the importance of rigorous cybersecurity practices, especially when handling sensitive customer data.