How Malware Can Sneak in Through M&A |
Companies that handle sensitive customer data have even more to worry about when making an acquisition Not only do they have to be sure the acquired company has good security but they cant let their guard down even after the acquisition closes This was an issue for Prague-based security company Avast which acquired Piriform a small London-based firm best known for its widely used CCleaner tool Unbeknownst to both Piriform and Avast the formers servers had been hacked a few months earlier and the hackers were waiting patiently for the best opportunity to strike Adobe Stock Its a security issue that could just as easily affect a payments company and in some cases already has In 2014 identity theft protection provider Lifelock had to pull its recently acquired Lemon wallet app off the market after it determined it was not compliant with the Payment Card Industry data security standards In December of last year PayPal had to change its plans after it was found that personal and financial data of up to 16 million customers of TIO Networks a Canadian company PayPal had recently acquired had been exposed The Avast incident reentered the conversation when the companys CTO Ondrej Vlcek brought new details to light at last weeks RSA conference in San Francisco Whats striking is that the attackers chose to remain dormant until after the sale was completed The attackers were in the Piriform network five months before they snuck the malicious payload into the CCleaner build Avast acquired Piriform on July 18 2017 and the first CCleaner build with the malicious payload appeared on August 2 2017 Vlcek said in a blog post that complemented his presentation Its interesting it took them so long before they initiated their attack on CCleaner users When a company is acquired the buying company is supposed to perform due diligence and check things like the value of the company the amount of bad debt and whether regulators would approve of the acquisition But the security risks the acquired company is exposed to are too often ignored M A due diligence has to go beyond just legal and financial matters Vlcek wrote Companies need to strongly focus on cybersecurity and for us this has now become one of the key areas that require attention during an acquisition process Second the supply chain hasnt been a key priority for businesses but this needs to change Attackers will always try to find the weakest link and if a product is downloaded by millions of users it is an attractive target for them The GDPR the EUs data protection regulation that will come into force next month is probably going to make this even more important as companies will have an obligation to proactively account for the integrity and security of customer data In any acquisition the buyer doesnt just buy a brand a product assets and a customer base it also acquires the companys security posture And one would better do a very good job at investigating what that looks like Data Is GDPR becoming a compliance nightmare