Industry News

Canadian PayPal Subsidiary, TIO Networks, Leaks 1.6 Million Customer Records

A recent breach affecting PayPal’s recently bought TIO Networks involved the alleged leak of 1.6 million customer records, affecting both TIO customers and customers of TIO billers. The Canadian payments outfit was acquired by PayPal in February 2017 for $233 million, in an effort to help PayPal “expand its global scale of operations”.

Although TIO stopped all operations as of Nov. 10 to avoid further potential compromise of personal customer data, the subsequent investigation revealed that data-storing locations were indeed accessed by unauthorized personnel.

“As announced on November 10, PayPal suspended the operations of TIO to protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform,” said PayPal. “This ongoing investigation has identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.”

No official comment revealts how attackers might have infiltrated TIO’s systems, but TIO’s FAQ section seems to indicate that customer SSNs might have been exposed in the breach. While the payments outfit does offer free 12-month credit monitoring, those that had social security numbers leaked seem to benefit from a 24-month credit monitoring service. TIO has yet to contact potential victims, but said it will do so via email and regular mail.

While PayPal has expressly stated that its own network and customer database were not affected, with TIO residing in a completely separate network, the company did notify the New York State Department of Financial Services (DFS). The regulator also started its own investigation, commending PayPal’s initiative and rapid response to the security incident.

“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” reads the official DFS statement attributed to Superintendent Maria T. Vullo. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner.”

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

1 Comment

Click here to post a comment
  • I am a victim of Tio data breach! This has been a nightmare on epic proportions. I was hit through every company possible that tio billed for. Its funny to me the companies are not being put on blast. All carriers any platform bottom line because i paid my bill. They stole or made me lose everything ive been filling complaints for years and now the want to offer protection. If it wouldnt of destroyed me maybe i could understand but with all companies having all information and TIO having the same customer the put all of the information together. Lets call a spade a spade tho i DID NOT GIVE TIO MY INFORMATION! I gave my info to PACIFIC GAS AND ELECTRIC they are the ones that gave it away and did not monitor what was happening! So bottom line i paid them TIO was paid to have this happen. Something needs to be done!