Another Tale of Poor Cyber Practices

Here’s an interesting item for all you cybersecurity auditors and GRC professionals: the state of New York just fined PayPal $2 million for “failing to use qualified personnel to manage key cybersecurity functions,” which led to an inept rollout of new accounting processes and a subsequent privacy breach.

The New York Department of Financial Services announced the sanction on Thursday. Technically, DFS accused PayPal of violating 23 NYCRR Part 500, more commonly known as the Cybersecurity Rule. That rule requires financial firms doing business in New York to have a strong cybersecurity program, which must include everything from encryption to internal controls to, yes, qualified and well-trained cybersecurity staff. The CISOs at firms covered by the rule must also certify the effectiveness of their program annually.

As a practical matter, however, what we have here is a quick case study in regulatory change management and remediation gone wrong. Let’s take a look at the DFS settlement order for further detail.

Trouble began in 2021, when Congress passed the American Rescue Plan Act. As part of that law, the IRS lowered the threshold for when third-party payment businesses (such as PayPal) must issue Form 1099-Ks. The Form 1099-K documents any revenue that people might receive through payment cards, payment apps or online marketplaces for goods or services you provided during the prior tax year. 

Historically, taxpayers received a 1099-K if they had more than $20,000 in annual income and conducted more than 200 transactions. Under the new law, however, that threshold dropped to $600 in yearly income and no minimum number of transactions. This meant that lots more people were going to receive 1099-Ks from PayPal — and like any standard tax form, those 1099-Ks were chock full of valuable personal data such as names, addresses, and Social Security numbers. 

Let’s pause here to state the internal control challenge in abstract terms. We had (a) a change in regulation; which (b) required a change in operating processes at PayPal; and (c) would lead to the dissemination of much more personally identifiable information; which (d) still had to be protected as always.

So where did PayPal go wrong in that mission? 

Remediation Opportunity Missed

In 2022 PayPal launched a program to make those 1099-Ks available online to customers who were newly eligible to receive them. The company did this by implementing changes to its existing data collection procedures, and the online portal for 1099-Ks went live in October 2022. 

Barely six weeks later, a PayPal security analyst noticed an online post brazenly titled “PP EXPLOIT TO GET SSN.” The post explained how a user could follow a link to PayPal’s website to view customers’ Social Security numbers via those 1099-Ks. The team investigated, and soon discovered that the 1099-Ks contained unmasked personal data including names, dates of birth, and full SSNs. Even worse, they also detected a spike in hackers trying to access PayPal’s online platform; and concluded that the hackers had indeed gained access to that private data.

I suspect some readers are already asking (or shouting, more likely) “Why did nobody test this new procedure before it went live?” 

Well, because this whole project was misclassified as a platform migration, rather than a new capability for an existing system — and that sent the project down an entirely different, and more relaxed, review process. 

controlThat is, PayPal did have a stringent change management policy for developing new IT processes. That policy included risk assessment, penetration testing, vulnerability scanning, and all the other standard precautionary steps an IT development team would take when building new capabilities into existing IT systems. 

But, according to the DFS settlement order, “The engineering team responsible for implementing the Form 1099-K change was not adequately trained on PayPal’s policies and procedures for deploying code, and therefore incorrectly determined that following [the change management policy] was not required.”

So when those insufficiently trained engineers incorrectly classified the project as a platform migration, the project rolled down an entirely different path of oversight and internal control. That’s how PayPal ended up launching its new 1099 portal with significant privacy and cybersecurity flaws, even though the company did have policies and procedures meant to catch exactly such issues. 

Addressing the Issue

OK, so PayPal engineers misunderstood how they should handle that 1099-K project, and that led to a breach. How are you supposed to remediate a problem like inadequately trained staff? 

First, PayPal did offer “commendable cooperation” throughout the investigation, the DFS said, that never hurts. PayPal also quickly took several other steps, such as… 

  • Masking the exposed data, and implementing stronger access controls for users to find it.
  • Updating relevant policies for “additional clarity” on when the change management process had to be followed.
  • Introduced better training to the engineering team on PayPal’s policies and procedures for deploying code. 
  • Improving the company’s capabilities to monitor code as that code is pushed to along, to assure that all risk and compliance reviews that might be necessary do indeed happen.

Anyway, that’s another cautionary tale for CISOs, GRC teams, and internal auditors about how even the best laid plans of internal control often go awry.

Leave a Comment

You must be logged in to post a comment.