Security Experts:

Breach at PayPal Subsidiary Affects 1.6 Million Customers

PayPal informed customers on Friday that personal information for 1.6 million individuals may have been obtained by hackers who breached the systems of its subsidiary TIO Networks.

TIO is a publicly traded bill payment processor that PayPal acquired in July 2017 for roughly $230 million. The company is based in Canada and it serves some of the largest telecom and utility network operators in North America. TIO has more than 10,000 supported billers and it serves 16 million consumer bill pay accounts.

On November 10, PayPal announced that TIO had suspended operations in an effort to protect customers following the discovery of security vulnerabilities on the subsidiary's platform. PayPal said it had found issues with TIO’s data security program that did not adhere to its own standards.

An investigation conducted in collaboration with third-party cybersecurity experts revealed that TIO’s network had been breached, including servers that stored the information of TIO clients and customers of TIO billers. PayPal said the attackers may have obtained personally identifiable information (PII) for roughly 1.6 million customers.

Affected companies and individuals will be contacted via mail and email, and offered free credit monitoring services via Experian.

While it’s unclear exactly what type of data the hackers have gained access to, the information shared by PayPal and TIO suggests that payment card data and in some cases even social security numbers (SSNs) may have been compromised.

PayPal has highlighted that TIO’s systems have not been integrated into its own platform. “The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” the company said.

The New York State Department of Financial Services (DFS), an agency responsible for regulating financial services and products, has also issued a statement on the incident.

“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” the DFS said. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner. Events like these illustrate the necessity of DFS’s landmark cybersecurity regulation and underscore the strength and effectiveness of our strong state-based financial services regulatory framework, including for the fintech industry.”

TIO said services will not be fully restored until it’s confident that its systems and network are secure.

UPDATE 12/5/2017. One of the affected TIO customers is Charlotte, North Carolina-based power company Duke Energy. The security incident forced the firm to indefinitely suspend its in-person payment services. Of the 1.6 million customers affected by the breach, 374,000 were Duke customers, reported Greenville News.

Related: TrickBot Targets Payment Processors, CRM Providers

Related: 320,000 Financial Records Apparently Stolen From Payment Processor

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.