State attorney general Josh Shaprio requests information from PayPal regarding recent data breach
HARRISBURG — PayPal has contacted Pennsylvania Attorney General Josh Shapiro’s office to alert him of a data breach impact 1.6 million users in the United States and Canada, Shapiro’s office announced Wednesday.
In response, Shapiro has requested more information from PayPal about the breach, which occurred on a platform PayPal acquired in July, TIO Networks. The breach occurred prior to PayPal’s purchase of the company, Shaprio’s office said.
TIO suspended operations last month after discovering the breach.
“PayPal did the right thing in alerting our office of the breach, and now is working with us to protect Pennsylvania consumers,” Attorney General Shapiro said in a press release. “I expect other businesses that experience hacks or breaches moving forward will do the same. We will remain vigilant.”
Without prompting, PayPal informed the Bureau of Consumer Protection that hackers may have obtained names, addresses, bank account information, Social Security numbers and login details of 1.6 million TIO users. TIO Networks, formerly a Canadian-based payment firm, makes digital bill payment tools for utilities and operated a network of kiosks in retail stores. Many of the consumers who use TIO’s payment methods are lower-income consumers.
PayPal said it has reached out to billers to obtain addresses for affected consumers and it expects to mail notices to all potentially impacted consumers soon. PayPal said free credit monitoring will be provided to those affected by the breach.
PayPal’s actions in alerting the Bureau of Consumer Protection of the breach, and in offering free credit monitoring to consumers contrasts with the behavior of another company after a major data breach earlier this year.
Equifax, the credit monitoring service, experienced a massive breach impacting at least 145 million people, including 5.5 million Pennsylvanians. They knew of a potential problem in March, and specifically learned of the breach in July – yet alerted no one until September.
Shapiro, leading a national investigation of 49 Attorneys General into the Equifax breach, has demanded that the company disclose exactly when it learned of the breach and what it did about it. Equifax resisted initial demands by Attorney General Shapiro and his colleagues to offer free credit monitoring to impacted consumers, but eventually relented.
In the PayPal case, the Bureau of Consumer Protection sent a letter demanding:
- The exact date PayPal discovered the hack
- The number of affected users in Pennsylvania and nationwide
- The specific kinds of information and data which were compromised
“We want Pennsylvanians who believe they’ve been affected by this latest breach or the other breaches to file complaints with us,” Shapiro said. “Our goal is to force change in corporate behavior, so companies entrusted with our most secure information take substantive steps and implement the best technology to safeguard it better in the future.”