A recent breach affecting PayPal’s recently bought TIO Networks involved the alleged leak of 1.6 million customer records, affecting both TIO customers and customers of TIO billers. The Canadian payments outfit was acquired by PayPal in February 2017 for $233 million, in an effort to help PayPal “expand its global scale of operations”.
Although TIO stopped all operations as of Nov. 10 to avoid further potential compromise of personal customer data, the subsequent investigation revealed that data-storing locations were indeed accessed by unauthorized personnel.
“As announced on November 10, PayPal suspended the operations of TIO to protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform,” said PayPal. “This ongoing investigation has identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.”
No official comment revealts how attackers might have infiltrated TIO’s systems, but TIO’s FAQ section seems to indicate that customer SSNs might have been exposed in the breach. While the payments outfit does offer free 12-month credit monitoring, those that had social security numbers leaked seem to benefit from a 24-month credit monitoring service. TIO has yet to contact potential victims, but said it will do so via email and regular mail.
While PayPal has expressly stated that its own network and customer database were not affected, with TIO residing in a completely separate network, the company did notify the New York State Department of Financial Services (DFS). The regulator also started its own investigation, commending PayPal’s initiative and rapid response to the security incident.
“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” reads the official DFS statement attributed to Superintendent Maria T. Vullo. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner.”