Cyber Incident Victim: TIO Networks

In July 2017, PayPal Holdings, Inc. acquired TIO Networks, a publicly traded bill payment processor. On November 10, 2017, PayPal suspended all operations of TIO Networks to protect customer data following the discovery of security vulnerabilities within TIO’s platform. This suspension initiated an internal investigation into the extent of the security flaws. By December 1, 2017, PayPal confirmed evidence of unauthorized access to TIO’s network, including systems storing personal information. The investigation revealed a potential compromise of personally identifiable information (PII) for approximately 1.6 million customers, encompassing both TIO’s direct customers and customers of the billers serviced by TIO. PayPal emphasized that its own platform remained unaffected due to complete separation between TIO’s infrastructure and PayPal’s networks. No specifics regarding the nature of the vulnerabilities, the exact timeline of unauthorized access, or the methods used by attackers were disclosed in the public update.

The compromise impacted individuals whose data was stored on the breached TIO systems, though the specific types of exposed PII were not detailed. In response, PayPal and TIO implemented measures to notify affected individuals through collaboration with the companies TIO serviced. PayPal also partnered with a consumer credit reporting agency to offer free credit monitoring memberships to those impacted, with direct communication planned to provide enrollment instructions. The suspension of TIO’s operations remained in effect as of December 1 to contain the incident and prevent further unauthorized access. PayPal’s public statement focused on remediation for affected customers while asserting the security of PayPal user data. Further details about the investigation’s progress or forensic findings were not provided, with additional information directed to TIO’s website.