PayPal: 1.6M Customers Potentially Impacted by TIO Breach | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

PayPal: 1.6M Customers Potentially Impacted by TIO Breach

PayPal Holdings Inc. said Friday it's investigating a breach at a company it acquired in July, TIO Networks, that may have affected approximately 1.6 million customers.

PayPal announced late Friday that a company it acquired this past summer, Canadian bill payment processor TIO Networks, potentially suffered a breach of 1.6 million customers earlier this year.

It was just a few weeks ago, in November, that the company said it that was suspending business with TIO after a co-initiated internal investigation uncovered security vulnerabilities on the TIO platform. PayPal said TIO’s data security program didn’t meet the company’s standards but didn't elaborate on its findings further.

While neither PayPal nor TIO gave a timeframe for the incident, now we know an issue with TIO's network likely led to a breach at some point over the last several months. It’s unclear exactly what kind of information may have been impacted by the breach; PayPal simply said Friday that its review of TIO's network identified "a potential compromise of personally identifiable information for approximately 1.6 million customers." The company insists that at no time was PayPal's platform impacted, or was any of its customers' data.

TIO, based in Vancouver, British Columbia, makes bill payment tools and has a series of self-service kiosks in retail locations like Rite Aid, throughout Canada and the U.S. PayPal acquired the company in July for $232 million USD.

When reached on Monday a spokesperson for PayPal stressed the incident is a potential compromise of information. “We are treating as a breach and taking appropriate actions, but this is not evidence that this has occurred,” the spokesman said.

While PayPal isn't going on record with regards to what may have been affected by the breach, a Wall Street Journal article, published Friday night, says the names, addresses, bank account details, Social Security numbers and login details of consumers who used TIO to pay bills may have been affected by the breach. The WSJ article, which cites a conversation with a PayPal spokesman, suggests that how of much of a customer’s data may be compromised relies on how much he or she may have used TIO's apps, web tools, or kiosks.

TIO, for its part, said late Friday that its working with companies it services to notify potentially affected individuals and like most companies that are breached, will provide credit monitoring memberships to those ultimately impacted.

The company said its investigation "uncovered evidence of unauthorized access to TIO's network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers," but didn’t specify exactly how an attacker may have infiltrated its system. 

Chris Brook


Data Protection Vendor Evaluation Toolkit

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.