Hactivists deface eBay and PayPal websites
Hactivists deface eBay and PayPal websites

PayPal Holdings on Friday acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the personally identifiable information of roughly 1.6 million customers.

The disclosure sheds light on the online payments company's 10 November decision to suspend the operations of Vancouver, Canada-based TIO Networks. In a press release, San Jose, Calif.-based PayPal explains that the move was made to “protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform.” The investigation subsequently yielded evidence of a unauthorised access into TIO Networks' systems, including “locations that stored personal information of some of TIO's customers and customers of TIO billers.”

PayPal acquired TIO in July 2017 for US$238 million (£177 million). It is unclear whether the original data breach occurred prior to or after the purchase, or to what extent the company was aware of potential security issues prior to the acquisition.

In the press release, PayPal did not specify what information was compromised; however, an FAQ section on the TIO Networks website indicated that Social Security numbers were among the PII stolen, noting that customers whose SSNs were impacted will be eligible for 24 months of free credit monitoring. (All other impacted individuals will receive 12 months of free monitoring.)

Justin Higgs, a senior manager of corporate communications at PayPal, later clarified to SC Media via email that “potential information that was compromised includes data such as payment card information or bank account information, usernames and passwords for online accounts, and Social Security.” Higgs also stressed that PayPal has “not found actual proof of data being taken from the TIO network.” However, the company “found enough evidence of potential exposure to treat this incident as a data breach” and alert the authorities and relevant parties.

The company says it is actively working to directly notify all potentially affected individuals and their billers, retailers and agents. PayPal also has emphasised that its own corporate systems were not impacted by the breach situation and that its customers' data remains secure.

PayPal Holdings on Friday acknowledged that a data breach at recently acquired payments processor TIO Networks compromised the data of roughly 1.6 million customers.