• United States



Jon Gold
Senior writer

PayPal sued for negligence in data breach that affected 35,000 users

Mar 06, 20233 mins
Data BreachLegal

Alleged data breach victims have sued PayPal in federal court for failing to safeguard their personal data, and are asking for class-action certification.

Networking cables viewed through a magnifying lens reveal a data breach.
Credit: AndreyPopov / Getty Images

A pending class action lawsuit accuses online payments giant PayPal of failing to adequately safeguard the personal information of its users, leaving them vulnerable to identity theft and related ills at the hands of the unidentified perpetrators of a data breach that occurred late last year.

Nearly 35,000 people were affected by the cyberattack, which used previously compromised usernames and passwords to gain access to PayPal’s systems. PayPal’s notice to users whose personal information was compromised indicated that the company first learned of the attack just before the holidays in 2022, and that the attack was eventually determined to have happened between December 6 and December 8.

The notice was sent out January 19, and said that there was “no evidence” that the compromised logins were taken from PayPal’s systems. Rather, it’s likely that username and password data gleaned from other cyberattacks were used to attempt to log in to PayPal accounts, which succeeded in some cases where users recycled their passwords.

Lawsuit says PayPal failed to comply with FTC guidelines

The plaintiffs in the civil suit, one of whom is from Texas and the other from Nebraska, accuse PayPal of failing to comply with FTC guidelines for data protection, essentially saying that the company was negligent in its protection of consumer data. The suit was filed last week in the Northern District of California.

The complaint levels nine individual charges at PayPal, accusing the company of unjust enrichment, violating multiple state consumer protection laws, breach of contract, negligence and negligence per se. (The last means, in essence, that the company breached a duty of care imposed on it by a specific law, rather than a more general legal duty of care required for a standard negligence claim.) These allegations are based on a wide variety of asserted facts, and the complaint accused PayPal of failing to adhere to a host of different NIST Cybersecurity Frameworks.

The plaintiffs said that they had suffered a number of harms as a result of PayPal’s alleged negligence, including being “forced to expend time dealing with the effects of the [d]ata [b]reach,” exposure to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and associated services. They’ve also asked the judge to certify the suit as a class action, given the large number of alleged victims and the impracticality of naming them all as parties to the suit.

The suit asks for an unspecified amount of monetary damages for violating the various consumer protection laws and as equitable relief, funding for lifetime credit monitoring and identity theft insurance, and more. That’s in-line with recent legal opinion on data breach-related lawsuits, which have been met with mixed responses from US courts.

According to Robert Dillard, a legal analyst for Bloomberg Law, claims for losses in data breach incidents faced an “uneven path” forward in federal courts last year.

“2023 will almost certainly see plaintiffs and their lawyers use creative arguments to pursue relief under common-law claims,” he wrote in a November analysis. “However, the chances of success for those claims will be extremely dependent on the facts of each case as they come before a court system that has shown skepticism.”