PayPal Security Breach Settlement Payout: Everything You Need To Know!

Digital payments giant PayPal is going to pay a $2 million penalty caused by a December 2022 cybersecurity incident that leaked thousands of user’s Social Security numbers and other personal details, the New York state regulators stated on Thursday, January 23, 2025.

In January 2023, PayPal sent data breach notification letters to around 35,000 users after a December 6 credential stuffing attacks allowed hackers to access and utilize customers’ private information. PayPal agreed to pay a penalty that cannot be covered by cyber insurance within just 10 days after the issuance of the consent order.

PayPal Security Breach Settlement Payout

PayPal is going to pay a $2 million penalty to New York state to resolve the state’s allegations that the company had cybersecurity failures that became a reason for a data breach.

The New York State Department of Financial Services (DFS) stated in a press release on Thursday January 23, 2025 that PayPal violated the state’s Cybersecurity Rules and Regulation by failing to utilize qualified personnel to control cybersecurity and by failing to provide appropriate training about cybersecurity risks.

It is also alleged that, because of these cybersecurity failures, cybercriminals and unauthorized users were able to get access to user’s IRS Form 1099-Ks, which contain their Social Security numbers (SSN), name, address, and many other sensitive personal details.

What is the reason behind PayPal security breach settlement?

PayPal is one of the world’s biggest financial technology companies that offers online financial transactions services to their users around the globe. Customer data was breached after PayPal applied changes to existing data flows to provide IRS Form 1099-Ks to its customers. 

However, the teams that were developed to implement these changes were not trained properly about PayPal’s systems and application development processes. As a result, they failed to work on proper procedures prior to the changes going public. 

This allowed cybercriminals to utilize compromised credentials to get access to Form 1099-Ks, and obtained sensitive customer data such as their SSNs. It is also revealed that PayPal did not require users to utilize multi factor authentication or utilise controls like CAPTCHA to stop unauthorized access. 

When will qualifying individuals get their PayPal security breach settlement Payout?

PayPal took various steps after the discovery of the data breach such as  hiding sensitive information on IRS forms, activated CAPTCHA and rate limiting, and making MFA compulsory for all United States users accounts. But according to the DFS, these steps to prevent unauthorized access came too late.

The settlement regulations disclosed that PayPal needed to pay a fine of $2 million within 10 days. There will be no further action performed until New York’s DFS will not discover new violations.

Who is eligible for PayPal security breach settlement Payout?

The PayPal security breach settlement can provide a benefit amount to such customers whose private information such as Social Security numbers, names, dates of birth, postal addresses, and individual tax identification numbers was compromised during the December 2022 data breach.  

Individuals who were impacted by this breach need to have a permanent residency in the United States to be eligible for compensation from this settlement. Individuals who want to know about the other details about eligibility requirements of PayPal security breach settlement need to contact PayPal or the New York State Department of Financial Services (NYDFS).

How many users are affected with PayPal security breach settlement?

New York State confirmed a $2,000,000 settlement with PayPal when it failed to satisfy the state’s cybersecurity regulations, causing a 2022 data breach.

The Department of Financial Services (DFS) report disclosed that cybercriminals took advantage of security gaps in PayPal’s systems to execute credential stuffing attacks that provided access to customer’s personal information.

In 2023, PayPal disclosed that cybercriminals managed large-scale credentials stuffing attacks between 6 December to 8 December 2022 and it is also expected that more than 35,000 users’ accounts data were breached.