PayPal Holdings Inc. Fined 900 Million Won for Multiple Data Breaches Affecting 23,000 Customers

SEOUL, – PayPal Holdings, Inc. was fined over 900 million won (US$663,863) on Thursday for a series of data breaches that affected approximately 23,000 customers.

According to a new release by the Yonhap News Agency, the commission levied a combined fine of 922 million won against the Singapore-based online payment system operator for failures in personal information protection. These lapses led to the unauthorized release of customer data, including names, addresses, and photos.

The first instance of data leakage occurred in December 2021, when nearly 22,000 customers had their information exposed due to a hacking attack on PayPal’s payment system. This was followed by another breach involving more than 1,000 customers whose private information was compromised through a phishing scam that targeted an employee’s email.

Earlier this year, PayPal suffered yet another security breach, this time from a “credential stuffing” attack. This type of cyber-attack gains unauthorized access to user accounts by automatically inserting stolen usernames and passwords into website login forms, resulting in the leakage of more than 300 additional customers’ personal data.

The Personal Information Protection Commission found that PayPal had been negligent in managing its safety systems and had delayed reporting these incidents to the appropriate authorities.