Buyer’s remorse? No due diligence? Credit union aftershocks? More questions thananswers exist following PayPal’s recently-acquired paymentprocessor TIO Networks’ breach revelation that exposed 1.6 millioncustomers’ information.

Last week, Vancouver, Canada-based TIO Networks, which PayPalacquired in February 2017 in a $238 million deal, revealed attackers gained access to the personal – andperhaps billing – information of some of its customersand billers. The breach did not affect the PayPal platform.

PayPal said it suspended TIO Networks' operations due to thediscovery of security vulnerabilities and issues. TIO Networks,which operates separately under PayPal's umbrella, oversees some60,000 utility and bills North American payment kiosks.

“Why did PayPal wait until after purchasing TIO Networks toperform a security assessment and audit?” Rebecca Herold, presidentof the Des Moines, Iowa-based SIMBUS and CEO of The PrivacyProfessor, asked. “Part of expected, logical and feasible duediligence for any type of business acquisition is to perform aninformation security and privacy risk assessment, and complianceaudit. Too many don’t include such assessments and audits. Heroldadded, every organization expecting to grow and potentially acquireother businesses needs to have a documented mergers andacquisitions policy that includes an information security, privacyand compliance clause/section.

For credit unions the incident is another reminderof the indirect, yet potentially significant, effects on theirbottom line, Brian Godwin, interim CEO for Des Moines basedPolicyWorks, indicated. "Credit unions end up absorbing a lot ofthe losses from the fraud that inevitably follows breaches, largeand small.” Godwin added regulations protect consumers by limitingtheir liability. The spirit of these rules is good. “Credit unionswant to protect their members. And in many ways, the added securitythe regulations offer consumers keep products like credit and debitcards attractive to members. It's a double-edged sword."

Paul Love, chief information security officer for RanchoCucamonga, Calif.-based CO-OP Financial Services, warned this isanother breach increasing the number of people with informationexposed to criminals. “This means that credit unions may beaffected via fraud losses or needing to reissue cards, as somecards may have been compromised.” Breaches of payment card datacontinues to push the expense of other organizations’ breaches tofinancial institutions, including credit unions. “Additionally,there is speculation that SSN's may have been part of thisbreach.”

“There needs to be technical due diligence, just like financialdue diligence, whenever one company is acquiring or merging withanother. Tom DeSot, EVP, CIO of San Antonio, Texas-based DigitalDefense, Inc. noted. “It should be a negotiating point for thebuyer in the case of an acquisition because they should have ageneral idea of what shape the other firm's network is in, and howmuch it is going to cost them to deal with the security.”

Jake Olcott, VP of Strategic Partnerships at Cambridge,Mass.-based BitSight, and a former legal advisor on cybersecurityissues in Congress, held many levels of due diligence must takeplace done during an M&A transaction. “While companiesprimarily focus on financial risk, cyberrisk has emerged as an areathat cannot be ignored.” Olcott added one of the biggest challengesis ascertaining the acquiree’s historical controls effectivenessand operational track record within the due diligence period.

“The biggest question here is why this system vulnerability wasnot discovered PRIOR to the acquisition,” John Kronick DirectorCybersecurity Solutions for El Segundo, Calif.-based PCM, Inc.noted. “Considering that TIO Networks processes credit cardtransactions, and is required to undergo certified annual PCIaudits by a Qualified Security Assessor, how was this vulnerabilityoverlooked or not discovered during the PCI audit? The wholesecurity process, from normal PCI credit card security, to patchingand monitoring, and pre-acquisition security program, are inquestion.”

For credit unions, two big takeaways exist, explained SherriDavidoff, founder/CEO of Missoula, Mont.-based LMG Security.“First, we can no longer rely on knowledge-based authentication, toverify customers’ identities over the phone. Your Social Securitynumber is effectively public. Credit unions should considerdeploying phone print or voice recognition technologies. Second,passwords are passé.” Davidoff recommended credit unions offermembers the option of using two-factor authentication because ofthe theft and reuse of many passwords.