In total, up to 1.6 million customers may have had their information leaked, which could include personally identifiable information (PII) or potentially financial data.
No details on the type of information exposed have yet been revealed; however, PayPal says the unauthorized access was "ongoing."
PayPal acquiredTIO Networks in July 2017 in a deal worth $238 million. TIO Networks operates under PayPal's umbrella but acts as a separate company, processing over $7 billion in consumer bill payments in 2016, supporting roughly 16 million customer bill pay accounts.
In November, PayPal announced the suspension of TIO Networks' operations due to "PayPal's discovery of security vulnerabilities on the TIO platform and issues with TIO's data security program that do not adhere to PayPal's information security standards."
TIO's platform, thankfully, has not been integrated into PayPal's business, which means users of the latter have not been impacted by the latest disclosure.
PayPal launched an internal investigation into the newly-acquired firm's business and hired a third-party cyberforensics company to review the TIO bill payment platform after suspending operations, revealing the data breach.
TIO Networks has begun notifying those potentially impacted by the security issue and Paypal has signed up credit reporting agency Experian to provide free monitoring for 12 months to customers which have been verified as victims.
"At this point, TIO cannot provide a timeline for restoring bill payment services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills," TIO Networks says. "We sincerely apologize for any inconvenience caused to you by the disruption of TIO's service."