A class action lawsuit has been initiated against PayPal after a cyber-attack resulted in the exposure of personal and financial information belonging to approximately 35,000 customers. The lawsuit alleges that PayPal, the leading online payment services provider, failed to adequately protect the private information of its users, leaving them susceptible to identity theft and other associated harms.
PayPal released an official statement shortly after the cyber-attack, which revealed that the incident occurred during the period of December 6 to December 8, 2022. According to the statement, the attackers employed a technique called "credential stuffing" where they used login credentials acquired from one organization to gain unauthorized access to accounts at another entity. Although the company maintains that there is no evidence of personal information misuse or unauthorized transactions, it cannot completely rule out the possibility of third parties accessing and potentially acquiring users' personal information.
Despite PayPal's attempts to downplay the extent of the potential harm, the plaintiffs in the civil lawsuit argue that the company violated the guidelines established by the Federal Trade Commission (FTC) by neglecting to implement fundamental security practices and comply with industry data-protection standards. PayPal is facing nine different accusations, including charges of unjust enrichment, breach of contract, and negligence per se. The latter refers to a failure to fulfill a duty that is mandated by law, rather than a general legal duty of care, which is typically associated with a standard negligence claim. The claimants seek unspecified monetary damages for breach of several consumer protection laws and request equitable relief in the form of lifetime credit monitoring and identity theft insurance.
In response, PayPal has offered affected users a two-year free subscription to Equifax, a leading consumer credit reporting agency. The subscription includes up to $1,000,000 of identity theft insurance coverage, identity restoration assistance, and other valuable features. The company has further advised users to utilize different passwords for different accounts and turn on two-factor authentication as a precautionary measure to avoid future security incidents.
As PayPal continues to grapple with the aftermath of the cyberattack, the class action lawsuit serves as a stark reminder of the far-reaching consequences of data breaches. With personal and financial information at risk, consumers expect more robust security measures from service providers. As the case unfolds, it remains to be seen how the courts will weigh in on the matter. However, it is clear that the need for adequate cybersecurity measures has never been more pressing, and all organizations should prioritize safeguarding the sensitive information of their users.