Breach, Threat Management, Data Security

Data breach at PayPal’s TIO Networks unit affects 1.6 million customers

PayPal Holdings on Friday acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the personally identifiable information of roughly 1.6 million customers.

The disclosure sheds light on the online payments company's Nov. 10 decision to suspend the operations of Vancouver, Canada-based TIO Networks. In a press release, San Jose, Calif.-based PayPal explains that the move was made to “protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform.” The investigation subsequently yielded evidence of a unauthorized access into TIO Networks' systems, including “locations that stored personal information of some of TIO's customers and customers of TIO billers.”

PayPal acquired TIO in July 2017 for $238 million. It is unclear whether the original data breach occurred prior to or after the purchase, or to what extent the company was aware of potential security issues prior to the acquisition.

In the press release, PayPal did not specify what information was compromised; however, an FAQ section on the TIO Networks website indicated that Social Security numbers were among the PII stolen, noting that customers whose SSNs were impacted will be eligible for 24 months of free credit monitoring. (All other impacted individuals will receive 12 months of free monitoring.)

Justin Higgs, a senior manager of corporate communications at PayPal, later clarified to SC Media via email that “potential information that was compromised includes data such as payment card information or bank account information, usernames and passwords for online accounts, and Social Security.” Higgs also stressed that PayPal has “not found actual proof of data being taken from the TIO network.” However, the company “found enough evidence of potential exposure to treat this incident as a data breach” and alert the authorities and relevant parties.

The company says it is actively working to directly notify all potentially affected individuals and their billers, retailers and agents. PayPal also has emphasized that its own corporate systems were not impacted by the breach situation and that its customers' data remains secure.

PayPal Holdings on Friday acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the data of roughly 1.6 million customers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.