PayPal's 'bad code' leads to unauthorized payments

• Key insights: PayPal suffered a breach due to a faulty code in its small-business lending group.
• What's at stake: The breach comes as PayPal attempts to recover from an earnings slump.
• Forward look: PayPal has refunded the stolen funds and offered two years of free credit monitoring.

PayPal has spent the past few weeks cleaning up after a data breach caused some customers to lose funds to hackers.  
PayPal's Feb. 10 breach disclosure letter said that on Dec. 12, the company discovered a coding error in its PayPal Working Capital system, resulting in the exposure of personally identifiable information of some customers between July 1 and Dec. 13. This information included some combination of names, email addresses, phone numbers, businesses addresses, Social Security numbers and dates of birth.

"Sadly, these types of breaches are not unique, and it seems in recent times that lenders and lending platforms are increasingly targeted, perhaps for the treasure-trove of sensitive data loan applications contain," Tracy Goldberg, director of cybersecurity at Javelin Strategy & Research, told American Banker. 

PayPal's letter said "a few" customers experienced unauthorized transactions on their account, adding the company has issued refunds to those customers and offered two free years of credit monitoring through Experian. It also implemented "advanced" security controls and reset the passwords of the affected customers. These customers will be required to change their passwords upon their next login. 

The breach was tied to PayPal Working Capital, a business-facing unit that offers credit to mostly small businesses. PayPal Working Capital plays a role in how PayPal competes with banks, with a particular focus on businesses where banks are reducing their presence. More than half of Working Capital and PayPal Business loans go to small businesses in ZIP codes where more than 10 bank branches closed during the early 2020s, according to PayPal. PayPal and rivals such as Square offer loans to businesses based on a percentage of future payment flows, which the fintechs contend enables them to make loans to small businesses faster than banks. 

"PayPal's response of resetting passwords and offering two years of credit monitoring is a standard industry practice, but affected customers should remain vigilant well beyond that window. Identity fraud stemming from this type of breach can surface years after the initial exposure," Jim Mortensen, strategic advisor for the Fraud & AML Practice Group at Datos Insights, told American Banker.  "The broader takeaway is that companies handling loan application data, which captures a concentration of highly sensitive personal and financial information, bear a heightened responsibility for continuous security auditing and rapid breach detection. A six-month gap between introduction of the bug and discovery is concerning."

 Small business lending is also part of a revenue diversification and small business relationship strategy as PayPal tries to improve financial performance in the wake of slower growth in its core branded checkout business, a slump that recently led PayPal to fire CEO Alex Chriss and name former HP and PayPal board member Enrique Lores as its new CEO, effective March 1. 

Given the corporate churn, a security setback comes at an inopportune time. PayPal did not release the exact number of victims or a financial amount for losses due to the breach. "When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter," a PayPal spokesperson told American Banker. PayPal is based in San Jose, Calif., where state law requires businesses and government agencies to report data breaches affecting more than 500 residents within 30 days of the discovery. It's unclear how many affected customers are California residents. 

PayPal is also not the only financial-technology company to suffer a recent data breach. Blockchain lender Figure Technology Solutions earlier this year reported a leak that exposed 1 million customer accounts, with a cybercriminal group called ShinyHunters claiming responsibility. ShinyHunters uses social engineering to trick staff into enabling access. 

ShinyHunters also claimed responsibility for a data breach at fintech Betterment, which exposed data for about 1.4 million consumers. 

While seeing names, usernames, email addresses, mobile phone numbers, Social Security numbers, and dates of birth compromised is not unique, what is concerning about the PayPal breach is that all of that personally identifiable information, or PII, was coupled with sensitive information about business clients as well, according to Goldberg. 

"What's more, when all of this information is stolen, pre-bundled, it makes the job of the cybercriminal much easier, since bits of PII have already been sorted and correlated, as it were," Goldberg said. "With this type of bundled PII, the sale of all of this bundled data is very profitable on the dark web and makes it much easier for cybercriminals to perpetuate new account fraud and account takeover fraud, which remains financial institutions' leading fraud risk."