A Code Error in PayPal’s Loan System Left Sensitive Data Exposed for Months

Key Takeaways

• Application Error Drove Exposure: A code change in PayPal’s Working Capital loan application led to the exposure of certain customers’ PII between July 1 and December 13, 2025.
• Sensitive Data Involved: Exposed information may have included business contact details combined with Social Security numbers and dates of birth.
• Limited but Material Impact: PayPal described the affected population as small, though some customers experienced unauthorized transactions and were refunded.
• Five-Month Exposure Window: The issue persisted for more than five months before being identified and remediated.

Deep Dive

PayPal is notifying a number of customers that their personal information was exposed following a coding error in its PayPal Working Capital loan application, an issue that persisted for more than five months before being identified.

According to the company’s notice, PayPal discovered on December 12, 2025 that a code change tied to its PayPal Working Capital (PPWC) application had resulted in certain personally identifiable information being exposed to unauthorized individuals. The exposure occurred between July 1, 2025 and December 13, 2025.

The company said it rolled back the code change responsible for the error and terminated the unauthorized access after identifying the issue. PayPal also stated that it did not delay notification as a result of any law enforcement investigation.

Unlike incidents rooted in phishing campaigns or ransomware, this event stemmed from an application-level error inside a lending workflow, a distinction that may shape how institutions think about internal controls as much as perimeter defenses.

Information Potentially Affected

PayPal said the affected data may have included business contact information (name, email address, phone number, and business address) combined with Social Security number and date of birth.

While the company described the number of impacted customers as limited, the data elements involved are among the most sensitive categories of personal information. In addition, a small number of customers experienced unauthorized transactions on their accounts. PayPal said it has refunded those customers.

After discovering the issue, PayPal initiated an investigation, reset passwords for affected accounts, and implemented enhanced security controls requiring impacted users to establish a new password if they have not already done so.

The company is offering two years of complimentary credit monitoring and identity restoration services through Equifax, with enrollment available through June 30, 2026.

In its notification, PayPal encouraged customers to review account activity and credit reports for suspicious transactions and referenced additional guidance from the Federal Trade Commission on fraud alerts and identity protection. The company reiterated that it will never request usernames, passwords, or authentication codes by phone, text, or email.

PayPal said it “takes the security of your information very seriously” and expressed regret for any inconvenience caused.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.