PayPal has been left red-faced after it was forced to admit a massive data breach at recently acquired TIO Networks affecting 1.6 million customers.
The payments giant said in a statement that TIO’s operations had been suspended since November 10, while it investigated “security vulnerabilities” in the firm’s platform.
It added:
“This ongoing investigation has identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers. As a result, PayPal is taking steps to protect affected customers."
PayPal was quick to point out that its own platform “is not impacted in any way” and that PayPal customer data remains secure.
However, the incident will be some cause for embarrassment at the firm, especially as it only acquired payment processor TIO Networks in July.
It calls to mind Verizon’s revelations in October, shortly after it acquired Yahoo, that a 2013 breach of the company had actually compromised not one but three billion user accounts.
Verizon had already managed to negotiate a reduction of $350m following revelations of mass breaches at the internet pioneer.
The incidents highlight the risks facing firms and the potential limits of due diligence.
The PayPal statement continued:
“TIO has also begun working with the companies it services to notify potentially affected individuals, and PayPal is working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.”
In Europe, the forthcoming General Data Protection Regulation (GDPR) will mandate 72-hour breach notifications or else firms could run the risk of fines up to €10m or 2% of global annual turnover.
However, for US companies with no customers who are EU citizens, there could still be serious penalties on the horizon for tardy breach disclosure.
Senators have introduced the Data Security and Breach Notification Act, which if passed could mean up to five years in prison for any executives found to have deliberately concealed a breach, as happened at Uber.