CUs Brace for Aftershocks From PayPal Sister Company Data Breach
Buyer’s remorse? No due diligence? Credit union aftershocks? More questions than answers exist following PayPal’s recently-acquired payment processor TIO Networks’ breach revelation that exposed 1.6 million customers’ information.
Last week, Vancouver, Canada-based TIO Networks, which PayPal acquired in February 2017 in a $238 million deal, revealed attackers gained access to the personal – and perhaps billing – information of some of its customers and billers. The breach did not affect the PayPal platform.
PayPal said it suspended TIO Networks' operations due to the discovery of security vulnerabilities and issues. TIO Networks, which operates separately under PayPal's umbrella, oversees some 60,000 utility and bills North American payment kiosks.
“Why did PayPal wait until after purchasing TIO Networks to perform a security assessment and audit?” Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, asked. “Part of expected, logical and feasible due diligence for any type of business acquisition is to perform an information security and privacy risk assessment, and compliance audit. Too many don’t include such assessments and audits. Herold added, every organization expecting to grow and potentially acquire other businesses needs to have a documented mergers and acquisitions policy that includes an information security, privacy and compliance clause/section.
For credit unions the incident is another reminder of the indirect, yet potentially significant, effects on their bottom line, Brian Godwin, interim CEO for Des Moines based PolicyWorks, indicated. "Credit unions end up absorbing a lot of the losses from the fraud that inevitably follows breaches, large and small.” Godwin added regulations protect consumers by limiting their liability. The spirit of these rules is good. “Credit unions want to protect their members. And in many ways, the added security the regulations offer consumers keep products like credit and debit cards attractive to members. It's a double-edged sword."
Paul Love, chief information security officer for Rancho Cucamonga, Calif.-based CO-OP Financial Services, warned this is another breach increasing the number of people with information exposed to criminals. “This means that credit unions may be affected via fraud losses or needing to reissue cards, as some cards may have been compromised.” Breaches of payment card data continues to push the expense of other organizations’ breaches to financial institutions, including credit unions. “Additionally, there is speculation that SSN's may have been part of this breach.”
“There needs to be technical due diligence, just like financial due diligence, whenever one company is acquiring or merging with another. Tom DeSot, EVP, CIO of San Antonio, Texas-based Digital Defense, Inc. noted. “It should be a negotiating point for the buyer in the case of an acquisition because they should have a general idea of what shape the other firm's network is in, and how much it is going to cost them to deal with the security.”
Jake Olcott, VP of Strategic Partnerships at Cambridge, Mass.-based BitSight, and a former legal advisor on cybersecurity issues in Congress, held many levels of due diligence must take place done during an M&A transaction. “While companies primarily focus on financial risk, cyberrisk has emerged as an area that cannot be ignored.” Olcott added one of the biggest challenges is ascertaining the acquiree’s historical controls effectiveness and operational track record within the due diligence period.
“The biggest question here is why this system vulnerability was not discovered PRIOR to the acquisition,” John Kronick Director Cybersecurity Solutions for El Segundo, Calif.-based PCM, Inc. noted. “Considering that TIO Networks processes credit card transactions, and is required to undergo certified annual PCI audits by a Qualified Security Assessor, how was this vulnerability overlooked or not discovered during the PCI audit? The whole security process, from normal PCI credit card security, to patching and monitoring, and pre-acquisition security program, are in question.”
For credit unions, two big takeaways exist, explained Sherri Davidoff, founder/CEO of Missoula, Mont.-based LMG Security. “First, we can no longer rely on knowledge-based authentication, to verify customers’ identities over the phone. Your Social Security number is effectively public. Credit unions should consider deploying phone print or voice recognition technologies. Second, passwords are passé.” Davidoff recommended credit unions offer members the option of using two-factor authentication because of the theft and reuse of many passwords.