'PayPal did the right thing' by notifying Pa. of data breach, AG Shapiro says
When PayPal officials found out someone may have hacked a platform the company acquired earlier this year, they quickly notified the Pennsylvania Bureau of Consumer Protection. The company's unprompted response drew praise this week from state Attorney General Josh Shapiro.
"PayPal did the right thing in alerting our office of the breach, and now is working with us to protect Pennsylvania consumers," Shapiro said in a news release Tuesday. "I expect other businesses that experience hacks or breaches moving forward will do the same."
PayPal told investors Dec. 1 that nearly 1.6 million customers may have had their personal information stolen from a payment processor called Tio Networks, which PayPal acquired in July. Tio serves customers who pay utilities and other bills by cash at kiosks in places like convenience stores and supermarkets.
PayPal suspended Tio's operations Nov. 10 after discovering potential weaknesses in the platform's security. After finding evidence of a possible hack, it notified customers who may have been affected and is working to provide them with free credit monitoring services.
Shapiro's office sent a letter to PayPal requesting more information about the potential breach, including specifics about the exact date the company discovered it, the number of affected users in Pennsylvania and the specific kinds of data compromised.
Still, the attorney general praised PayPal's overall response to the situation, saying it stood in contrast to the way Equifax responded to a breach of its system earlier this year. Equifax found out about potential problems in its system in March but did not notify consumers until September, leading Shapiro and other state attorneys general to launch an investigation into the company's actions.
Shapiro's office is also asking question of ride-sharing service Uber after it revealed last month that it waited nearly a year to tell customers about a breach of its systems. Federal laws have little to say about how companies handle customer notifications after a potential data breach. Pennsylvania has a state law, but it only requires that businesses tell affected consumers "without unreasonable delay."
PayPal representatives, when contacted Wednesday by the Central Penn Business Journal, declined to comment on their potential breach beyond referring to a news release the company sent out last week. In response specifically to Shapiro's statements, company spokesman Justin Higgs thanked the attorney general for recognizing the steps PayPal has taken to remedy any potential issues.
"We will continue to put customers first, and to work cooperatively with regulators, officials and our billing partners throughout the process," Higgs said.