Security Experts:

Connect with us

Hi, what are you looking for?



Breach at PayPal Subsidiary Affects 1.6 Million Customers

PayPal informed customers on Friday that personal information for 1.6 million individuals may have been obtained by hackers who breached the systems of its subsidiary TIO Networks.

PayPal informed customers on Friday that personal information for 1.6 million individuals may have been obtained by hackers who breached the systems of its subsidiary TIO Networks.

TIO is a publicly traded bill payment processor that PayPal acquired in July 2017 for roughly $230 million. The company is based in Canada and it serves some of the largest telecom and utility network operators in North America. TIO has more than 10,000 supported billers and it serves 16 million consumer bill pay accounts.

On November 10, PayPal announced that TIO had suspended operations in an effort to protect customers following the discovery of security vulnerabilities on the subsidiary’s platform. PayPal said it had found issues with TIO’s data security program that did not adhere to its own standards.

An investigation conducted in collaboration with third-party cybersecurity experts revealed that TIO’s network had been breached, including servers that stored the information of TIO clients and customers of TIO billers. PayPal said the attackers may have obtained personally identifiable information (PII) for roughly 1.6 million customers.

Affected companies and individuals will be contacted via mail and email, and offered free credit monitoring services via Experian.

While it’s unclear exactly what type of data the hackers have gained access to, the information shared by PayPal and TIO suggests that payment card data and in some cases even social security numbers (SSNs) may have been compromised.

PayPal has highlighted that TIO’s systems have not been integrated into its own platform. “The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” the company said.

The New York State Department of Financial Services (DFS), an agency responsible for regulating financial services and products, has also issued a statement on the incident.

“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” the DFS said. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner. Events like these illustrate the necessity of DFS’s landmark cybersecurity regulation and underscore the strength and effectiveness of our strong state-based financial services regulatory framework, including for the fintech industry.”

TIO said services will not be fully restored until it’s confident that its systems and network are secure.

UPDATE 12/5/2017. One of the affected TIO customers is Charlotte, North Carolina-based power company Duke Energy. The security incident forced the firm to indefinitely suspend its in-person payment services. Of the 1.6 million customers affected by the breach, 374,000 were Duke customers, reported Greenville News.

Related: TrickBot Targets Payment Processors, CRM Providers

Related: 320,000 Financial Records Apparently Stolen From Payment Processor

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.