Facebook LinkedIn Twitter Vimeo RSS

'PayPal did the right thing' by notifying Pa. of data breach, AG Shapiro says

By ,
Pennsylvania Attorney General Josh Shapiro
Pennsylvania Attorney General Josh Shapiro - (Photo / )

When PayPal officials found out someone may have hacked a platform the company acquired earlier this year, they quickly notified the Pennsylvania Bureau of Consumer Protection. The company's unprompted response drew praise this week from state Attorney General Josh Shapiro.

"PayPal did the right thing in alerting our office of the breach, and now is working with us to protect Pennsylvania consumers," Shapiro said in a news release Tuesday. "I expect other businesses that experience hacks or breaches moving forward will do the same."

PayPal told investors Dec. 1 that nearly 1.6 million customers may have had their personal information stolen from a payment processor called Tio Networks, which PayPal acquired in July. Tio serves customers who pay utilities and other bills by cash at kiosks in places like convenience stores and supermarkets.

PayPal suspended Tio's operations Nov. 10 after discovering potential weaknesses in the platform's security. After finding evidence of a possible hack, it notified customers who may have been affected and is working to provide them with free credit monitoring services. 

Shapiro's office sent a letter to PayPal requesting more information about the potential breach, including specifics about the exact date the company discovered it, the number of affected users in Pennsylvania and the specific kinds of data compromised.

Still, the attorney general praised PayPal's overall response to the situation, saying it stood in contrast to the way Equifax responded to a breach of its system earlier this year. Equifax found out about potential problems in its system in March but did not notify consumers until September, leading Shapiro and other state attorneys general to launch an investigation into the company's actions.

Shapiro's office is also asking question of ride-sharing service Uber after it revealed last month that it waited nearly a year to tell customers about a breach of its systems. Federal laws have little to say about how companies handle customer notifications after a potential data breach. Pennsylvania has a state law, but it only requires that businesses tell affected consumers "without unreasonable delay."

PayPal representatives, when contacted Wednesday by the Central Penn Business Journal, declined to comment on their potential breach beyond referring to a news release the company sent out last week. In response specifically to Shapiro's statements, company spokesman Justin Higgs thanked the attorney general for recognizing the steps PayPal has taken to remedy any potential issues.

"We will continue to put customers first, and to work cooperatively with regulators, officials and our billing partners throughout the process," Higgs said.

More From This Industry

Jennifer Wentz

Jennifer Wentz

Jennifer Wentz covers Lancaster County, York County, financial services, taxation and legal services. Have a tip or question for her? Email her at jwentz@cpbj.com. Follow her on Twitter, @jenni_wentz.

Leave a Comment


Please note: All comments will be reviewed and may take up to 24 hours to appear on the site.

Post Comment
View Comment Policy