Two PayPal customers sued the company for negligence over a December data breach that the company reported in January. The plaintiffs allege that PayPal failed to comply with FTC guidelines and failed to comply with industry standards and are seeking class status.
The complaint, filed on March 2, 2023, alleges in part: “PayPal knew or should have known that its computer systems and data security practices were inadequate to safeguard the Private Information of Plaintiff Pillard and members of the Nebraska state subclass, to deter hackers, and to detect a data breach within a reasonable amount of time. PayPal knew or should have known that the risk of a data breach was highly likely.”
PayPal notified customers who were affected by the incident on January 18, 2023, explaining that their name, address, Social Security number, individual tax identification number, and/or date of birth could have been exposed.
PayPal also told customers affected by the incident:
“On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.
“Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.”
PayPal also explained it had reset the passwords of the affected PayPal accounts and secured the services of Equifax to provide identity monitoring services at no cost for two years (with instructions on how to sign up for the service).
The plaintiffs claim they and class members “were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm. The risk will remain for their respective lifetimes.”
PayPal notified the Maine Attorney General’s office which documented the notice on the Maine.gov website where it states 34,942 total people were affected, including 146 Maine residents.
The Attorney General report described the breach as “Credential Stuffing.” News site Bleeping Computer wrote more about the incident in a January 19th article.
In related news, PayPal announced today that its venture capital division invested in a company called Deep Instinct, “the first company to apply deep learning to cybersecurity” that offers “unrivaled ability to see cyber threats well before other solutions can.”
Definitely negligence. Access to sensitive data should have been controlled by two factor authentication. Sensitive data like the tax ID should have been encrypted allowing confirmation but not display. Also, the most sensitive data should not be on the same server as data that can be viewed.