PayPal PYPL.O will incur a $2 million civil penalty due to cybersecurity issues that resulted in the leakage of customers’ Social Security numbers in late 2022, as announced by New York state’s Department of Financial Services on Thursday.

According to Adrienne Harris, the superintendent of financial services in New York, an investigation revealed that PayPal did not employ qualified personnel for critical cybersecurity tasks or offer sufficient training to mitigate cybersecurity threats.

This negligence allowed names, birthdates, and Social Security numbers of customers from the San Jose, California-based digital payment firm to be accessible to cybercriminals for approximately seven weeks, she noted.

PayPal has been cooperative during the investigation. The company stated, “Ensuring the protection of consumers’ private information and maintaining a secure platform is our utmost priority, and we take our regulatory obligations seriously.”

As detailed in a consent order, PayPal became aware of the issue after a security analyst saw an online post on December 6, 2022, which read “PP EXPLOIT TO GET SSN.”

The following day, PayPal’s cybersecurity team identified a surge in attempts to access its platform and found out that cybercriminals were leveraging “credential stuffing” to check federal tax forms for many customers.

The data breach occurred after PayPal modified its existing data flows to broaden access to these forms for more customers.

Harris criticized PayPal for not mandating that customers utilize multifactor authentication or mechanisms like CAPTCHA to block unauthorized logins.

The penalty was imposed for breaching the financial services department’s cybersecurity regulations established in 2017.

Currently, PayPal enforces multifactor authentication on all U.S. customer accounts, has mandated password resets for impacted accounts, and has incorporated CAPTCHA, according to the consent order.

Reporting by Jonathan Stempel in New York; Editing by Hugh Lawson and Bill Berkrot