Cyber Incident Victim: PayPal Holdings

PayPal Holdings, Inc. suspended operations of TIO Networks, a payment processor it acquired in July 2017, on November 10, 2017, following the discovery of security vulnerabilities in TIO’s platform. This suspension aimed to protect customer data during an ongoing investigation into these vulnerabilities. By December 1, 2017, PayPal confirmed evidence of unauthorized access to TIO’s network, specifically targeting systems storing personally identifiable information. The investigation revealed approximately 1.6 million customers of TIO and its biller clients were potentially impacted by this compromise. PayPal emphasized that its core platform remained unaffected, as TIO operated on entirely separate infrastructure, ensuring no exposure of PayPal customer data. The breach exclusively involved TIO’s systems, which handled bill payment services distinct from PayPal’s primary operations.

In response, PayPal initiated measures to notify and protect affected individuals. TIO collaborated with the companies it serviced to communicate directly with potentially impacted customers regarding the unauthorized access. PayPal partnered with a consumer credit reporting agency to provide complimentary credit monitoring memberships to those affected. Instructions for enrolling in this monitoring service were distributed directly to compromised individuals. The company maintained a dedicated informational resource at www.tio.com to keep stakeholders informed. No evidence suggested financial information misuse at the time of the December 1 update, though the investigation into the full scope and cause of the breach continued. PayPal’s actions focused on mitigating risks to TIO’s customer base while maintaining separation from its own secured payment ecosystem.