On January 23, 2025, the New York State Department of Financial Services (NYDFS) announced a Consent Order against PayPal, Inc., imposing a $2 million civil penalty for violations of New York’s cybersecurity regulations. This enforcement action underscores the growing regulatory scrutiny on financial institutions’ cybersecurity practices and highlights the importance of compliance with 23 NYCRR Part 500 (the “Cybersecurity Regulation”), New York’s leading cybersecurity regulation. This was the first enforcement action announced since the Cybersecurity Regulation was revised. You can find prior articles in our six-part series on the Cybersecurity Regulation on the Frankfurt Kurnit Technology Law blog: Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6.

Background

NYDFS, as the primary financial services regulator in New York, has long emphasized the need for robust cybersecurity programs to protect consumers' sensitive financial information. Under the Cybersecurity Regulation, financial institutions must establish comprehensive cybersecurity policies, employ qualified cybersecurity personnel, and implement effective data protection controls to prevent unauthorized access to Nonpublic Information (NPI).

PayPal, the popular payments application, holds both a money transmitter license and a BitLicense from NYDFS, making it subject to these regulatory requirements. However, a cybersecurity event in December 2022 exposed deficiencies in PayPal’s cybersecurity controls, prompting NYDFS to launch an investigation that ultimately led to the recent enforcement action.

The December 2022 Cybersecurity Breach

The cybersecurity incident at PayPal stemmed from a security flaw in its Form 1099-K system, which inadvertently exposed certain customers’ Social Security Numbers (SSNs), names, and dates of birth. The issue came to light when a PayPal security analyst discovered an online post that provided instructions on how to access users’ SSNs through PayPal’s website. Further investigation revealed that threat actors had been exploiting this vulnerability using credential stuffing attacks, a technique where hackers use previously stolen usernames and passwords to gain unauthorized access to accounts.

The breach was directly linked to PayPal’s failure to conduct a proper security review of its tax form system update.  Due to misclassification of the system change, PayPal’s engineering team bypassed key cybersecurity protocols, including risk assessments, penetration testing, and vulnerability scanning. As a result, the unmasked SSNs and other sensitive data remained exposed, making it easier for malicious actors to exploit the vulnerability.

NYDFS Findings and Violations

Following an extensive investigation, NYDFS determined that PayPal violated several key provisions of the Cybersecurity Regulation :

1. Failure to Maintain Adequate Cybersecurity Policies (23 NYCRR § 500.3) – PayPal lacked sufficient policies governing access management, system security, and customer data protection.
2. Insufficient Cybersecurity Personnel and Training (23 NYCRR § 500.10) – The company failed to employ adequately trained cybersecurity professionals to oversee critical security functions.
3. Failure to Protect Nonpublic Information (23 NYCRR § 500.12) – PayPal did not implement mandatory Multi-Factor Authentication (MFA), which could have prevented unauthorized access to customer data.

Monetary Penalty and Compliance Remediation

As part of the Consent Order, PayPal agreed to pay a $2 million civil penalty to NYDFS. Additionally, the company cannot use insurance proceeds to pay, or take tax deductions, for this penalty.

While imposing the fine, NYDFS acknowledged PayPal’s cooperation throughout the investigation and its subsequent efforts to remediate the security lapses. In response to the breach, PayPal has implemented several corrective measures, including:

• Mandatory Multi-Factor Authentication (MFA) for all U.S. customer logins;
• Enhanced training programs for its cybersecurity personnel and engineers;
• Updated internal policies to ensure clearer risk assessment guidelines;
• Improved monitoring of software updates and code deployments.

Implications for Financial Institutions

This is another example of how NYDFS now interprets the risk assessment requirement in the Cybersecurity Regulation to mean that the risk assessment must be correct, comprehensive, and accurate. The revised Cybersecurity Regulation has enhanced asset management requirements. It is important that asset management be tightly connected to the risk assessment. And, the risk assessment needs to be updated whenever there are systems changes that are significant. 

This enforcement action serves as a stark reminder of the regulatory risks associated with cybersecurity failures. Financial institutions, fintech companies, and other regulated entities must ensure that their cybersecurity programs are not only in place but also rigorously tested and continuously updated. And, multifactor authentication is no longer optional according to multiple regulators.

The NYDFS’s Consent Order against PayPal also highlights the increasing importance of proactive cybersecurity governance. Companies should prioritize regular security assessments, audits, employee training, business continuity and disaster recovery planning, and robust incident response planning to mitigate potential risks.

Moreover, as cyber threats continue to evolve, regulators like NYDFS are expected to intensify their oversight, with stricter penalties for non-compliance. Businesses operating in the financial services sector should take this case as a clear warning that cybersecurity failures will not be tolerated.