Enforcement takeaways (according to DFS allegations in the Consent Order with PayPal):
• NYDFS found customer data was exposed after PayPal implemented changes to make 1099-K forms available to more of its customers, after teams tasked with implementing these changes failed to follow proper procedures before the changes went live.
• Malicious actors leveraged compromised credentials to access Form 1099-Ks, and PayPal discovered that its platform contained unmasked consumer information, including names, dates of birth, and full Social Security numbers.
• NYDFS determined the data teams were not sufficiently trained on PayPal’s systems and application development processes. It also alleged PayPal failed to maintain written policies addressing access controls, identity management, and customer data, and failed to use effective controls to protect against unauthorized access to Nonpublic Information or Information Systems.
• Promptly after detecting this vulnerability, PayPal added CAPTCHA and rate limiting, which successfully stopped the automated account access to unmasked NPI.
• NYDFS alleged violations of 23 NYCRR § 500.3(d), (i), and (k); 500.10(a)(1) & (2); and 500.12(a).