In Wake of Latest Data Breach, PayPal Responds to Attorney General Shapiro Demands for More Disclosure

December 6, 2017 | Topic: Consumers

Bank Account Info, Social Security Numbers of 1.6 Million Users in US and Canada Compromised

HARRISBURG — PayPal has contacted the Office of Attorney General’s Bureau of Consumer Protection to alert it of a data breach impacting 1.6 million users in the United States and Canada.  In response, Attorney General Shapiro has requested more information from PayPal about the breach.

The breach occurred on a platform PayPal acquired in July – TIO Networks – and prior to PayPal buying the company. TIO suspended operations last month after discovering the breach.

“PayPal did the right thing in alerting our office of the breach, and now is working with us to protect Pennsylvania consumers,” Attorney General Shapiro said. I expect other businesses that experience hacks or breaches moving forward will do the same. We will remain vigilant.”

Without prompting, PayPal informed the Bureau of Consumer Protection that hackers may have obtained names, addresses, bank account information, Social Security numbers and login details of 1.6 million TIO users. TIO Networks, formerly a Canadian-based payment firm, makes digital bill payment tools for utilities and operated a network of kiosks in retail stores. Many of the consumers who use TIO’s payment methods are lower-income consumers.

PayPal said it has reached out to billers to obtain addresses for affected consumers and it expects to mail notices to all potentially impacted consumers soon. PayPal said free credit monitoring will be provided to those affected by the breach.

PayPal’s actions in alerting the Bureau of Consumer Protection of the breach, and in offering free credit monitoring to consumers contrasts with the behavior of another company after a major data breach earlier this year.

Equifax, the credit monitoring service, experienced a massive breach impacting at least 145 million people, including 5.5 million Pennsylvanians. They knew of a potential problem in March, and specifically learned of the breach in July – yet alerted no one until September.

Attorney General Shapiro, leading a national investigation of 49 Attorneys General into the Equifax breach, has demanded that the company disclose exactly when it learned of the breach and what it did about it.  Equifax resisted initial demands by Attorney General Shapiro and his colleagues to offer free credit monitoring to impacted consumers, but eventually relented.

In the PayPal case, the Bureau of Consumer Protection sent a letter demanding:

  • The exact date PayPal discovered the hack
  • The number of affected users in Pennsylvania and nationwide
  • The specific kinds of information and data which were compromised

“We want Pennsylvanians who believe they’ve been affected by this latest breach or the other breaches to file complaints with us,” Attorney General Shapiro said. “Our goal is to force change in corporate behavior, so companies entrusted with our most secure information take substantive steps and implement the best technology to safeguard it better in the future.”

Consumers can contact the Office of Attorney General Bureau Consumer Protection at 1-800-441-2555 or . Consumers can also file a complaint here.

# # #