The Ever-Menacing World Of Cybersecurity Hits PayPal, Subaru, And PowerSchool

As the world rushes towards a more digital future, it becomes increasingly connected, with traditionally offline processes porting to digital solutions.

As such, this benefits individual users and businesses alike, as it speeds up communication, productivity, operations, logistics, travel, and a wide range of other activities.

However, the downside of all this digitalization is that it attracts various bad actors. This too is a drawback that’s faced by individuals and businesses alike. Yet, in the case of businesses, it’s worse, as they’re responsible for the data of their users and customers.

Lapses in security in such situations attract the rancor of customers in addition to legal ramifications.

This is what digital wallet and online payment platform PayPal found itself in recently.

The company agreed to settle a lawsuit by the New York State Department of Financial Services, which alleged that PayPal violated its Cybersecurity Regulation, resulting in cybersecurity failures leading to data breaches.

These breaches meant that bad actors were able to access IRS Form 1099-Ks using compromised credentials to extract names, dates of birth, Social Security numbers, and other sensitive information, following a change made by PayPal in existing data flows.

The settlement will see PayPal pay a civil fine of $2 million.

A probe by Superintendent Adrienne Harris’ office discovered that PayPal failed to use qualified staff to manage key cybersecurity functions and didn’t provide adequate training to address cybersecurity risks.

Speaking about the settlement, Superintendent Harris said, “New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions.” 

“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”

However, PayPal responded saying it takes its regulatory responsibilities seriously and the protection of consumers’ personal information and ensuring a secure platform is a “top priority.”

The statement read, “After self-reporting and disclosing this issue, we worked closely with the New York Department of Financial Services to resolve this matter, which occurred in December 2022.”


While PayPal’s situation is more or less sorted and a thing of the past (once they pay the penalty that is), automaker Subaru has just entered the eye of the cybersecurity storm.

In November 2023, security researchers Sam Curry and Shubham Shah discovered vulnerabilities in Subaru’s Starlink-connected vehicle service web portal, which allowed them to access the vehicle’s system and remotely lock, unlock, start, and stop the car. Not only this, but they were also able to enable any phone or computer to gain control of those features.

This was just the tip of the iceberg.

They discovered they could locate any Subaru vehicle, as well as access its location history from the last year, accurate to within five meters.

Furthermore, they could extract the personally identifiable information (PII) of any customer, spanning emergency contacts, authorized users, physical address, billing information, and vehicle PIN.

Through this, they could also access call history, previous owners, odometer readings, sales history, and more.

The truly troubling part, though, is that any bad actor could retrieve this information if they knew a user’s last name and ZIP code, email address, phone number, or license plate.


The duo reported their findings to Subaru immediately, and a patch was deployed soon after. However, further research found that such vulnerabilities existed in the systems of Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and more.

In this case, a lot of customers must have been saved as cybersecurity researchers found the issues before they became a major problem.

Unfortunately, that wasn’t the case with PowerSchool, which provides cloud-based software to around 16,000 K–12 schools worldwide.

The company revealed it faced a network breach in late 2024 that resulted in personal information being exported by unauthorized users using stolen credentials. The breach affected customer information stored in PowerSchool’s Student Information System (SIS) by using its customer support portal, PowerSource.

Hackers who claimed to be behind the attacks claim they stole the personal information of over 62 million students and 9.5 million teachers of 6,505 school districts in the US, Canada, and other countries.

This data pertains to information such as First, middle, and last names; date of birth; gender; health card number; grade level and school information; start/end date as a student; Ontario Education Number; EQAO accommodation information; medical information (i.e., allergies, conditions, injuries); home addresses; home phone numbers; TDSB student number; TDSB email address; First Nations, Métis, and Inuit information; residency status; and principal/vice principal notes (including discipline notes).

In response, PowerSchool provided a statement, an excerpt of which read, “We care deeply about the students, teachers, and families we serve and are wholeheartedly committed to supporting them. PowerSchool will be offering two years of complimentary identity protection services and two years of complimentary credit monitoring services for all applicable students and educators whose information was involved.”

This move is being done by PowerSchool for all users suspected of being affected and is not required by regulation.

What measures do you think should be made mandatory for businesses hosting sensitive and crucial private data and information?

Let us know in the comments below!