Fifteen million passwords, emails, and account details — if hackers’ claims are true, that’s what’s at stake in a potential PayPal breach. Meanwhile in Kenya, three banks are fined for data protection violations, as a former employee leaked client records. Let’s dive into details in our weekly digest.

One of the biggest cybersecurity stories in recent days is a potential data breach at PayPal. Hackers are reportedly selling a dataset containing 15.8 million user credentials. While PayPal officials deny that any leak has occurred, the attackers claim the data comes from an incident in May 2025.

PayPal has long been a prime target for cybercriminals, as it processes a massive volume of financial transactions and handles highly sensitive information. The company’s last confirmed incident took place in 2022, when it suffered a credential-stuffing attack — a method where stolen usernames and passwords are used to break into accounts. Earlier this year, PayPal paid a $2 million fine after the court ruled that implemented security measures were not sufficient to ensure the safety of confidential data.

So far, the company has not reported any security incidents in 2025, raising questions about the true origin of the alleged leak.

According to the hackers, the stolen archive contains:

• Login emails,
• Plaintext passwords,
• Associated URLs.

If authentic, such a database could fuel large-scale credential-stuffing attacks.

Independent researchers, however, have not been able to verify the claims because only a small sample of the data has been released. They observed that many of the sample records were duplicates, which could mean the actual number of unique credentials is far lower than 15.8 million. The format of the data also suggests it may have been harvested through infostealer malware and later compiled into a single package.

Meanwhile, news about the enforcement of data protection practices is coming from Kenya. The Office of the Data Protection Commissioner (OPDC) made a ruling against three local banks and found them guilty of data protection law violation.

According to the determination, Kenya Women Microfinance Bank illegally shared borrowers’ personal data with Family Bank and Co-operative Bank of Kenya, exposing sensitive loan details and client contact information. The regulator issued an enforcement notice against one of the financial organizations and fined them Sh 650,000 (about $5,000).

During the investigation, the Commissioner revealed that one of the banks admitted to obtaining borrower records as part of “market intelligence” activities — without the explicit consent of the individuals concerned. This was deemed a clear violation of local regulations.

Interestingly, Kenya Women Microfinance Bank argued that the data leak occurred through a former employee who accessed records after their contract had ended. However, the Commissioner emphasized that data controllers and processors are legally required to implement strong safeguards to prevent unauthorized access or disclosure of personal data. By failing to do so, the bank was found to be in breach of its legal obligations.

Financial organizations are often subject to strict oversight when it comes to data protection. They must comply with local laws as well as international standards such as PCI DSS and ISO 27001. Failure to do so can result in heavy fines and legal consequences.

For example, Risk Monitor— a Next-Gen Data Loss Prevention (DLP) system — could have been highly valuable for Kenya Women Microfinance Bank in the case mentioned earlier. The solution is designed to prevent unauthorized access to or modification of a client's data and its illicit sharing. It also helps manage user access rights and supports regulatory compliance, strengthening both the bank’s overall security posture and the efficiency of its data protection officers.

Investing in information security tools delivers clear benefits that any organization can measure — protecting sensitive data, ensuring compliance, and ultimately safeguarding business continuity and customer trust.