PayPal says personal data may be compromised for 1.6 million TIO users

PayPal Holdings Inc. said Friday that personally identifiable information for roughly 1.6 million users has potentially been compromised at a company it acquired earlier this year.

Last month, the payments firm suspended operations, pending a security review, of its TIO Networks unit. That company makes digital bill-payment tools for utilities and other firms and also operates a network of kiosks in physical retail stores.

PayPal said Friday that an investigation into security vulnerabilities at TIO had found users' information was potentially compromised.

Among customer information possibly affected, according to a PayPal spokesman, were names, addresses, bank-account details, Social Security numbers and login details of consumers who used TIO to pay bills.

How much of a given user's data was potentially compromised depends on whether he or she used TIO's smartphone apps, web tools or kiosks, the spokesman said. He added that no one TIO service had the full range of customer data exposed and that PayPal hasn't found any evidence the information was taken out of TIO.

Following PayPal's announcement, the New York Department of Financial Services said in a statement that is working with the company, which it regulates, to "investigate and address issues related to cybersecurity vulnerabilities."

Revelations of potential data-security issues at TIO comes nearly three months after credit-reporting firm Equifax Inc. said that hackers had taken vital personal information belonging to potentially 145.5 million Americans.

PayPal paid roughly $238 million in cash to acquire TIO in a deal that closed in July. When the transaction was announced in February, PayPal Chief Operating Officer Bill Ready told The Wall Street Journal that TIO would help the company reach more consumers who lack traditional financial accounts.

At the time of the announcement, TIO served 14 million consumer accounts and 10,000 billers through a network of retail locations across the U.S. PayPal hasn't integrated TIO with its platform, so PayPal users aren't affected by the security vulnerabilities at TIO.

PayPal will offer affected TIO consumers free credit-monitoring services through Experian Plc, the spokesman said.

Write to Peter Rudegeair at Peter.Rudegeair@wsj.com