tips tools privacy

SecurityTrails Blog · Jun 06 · SecurityTrails team

Find Vulnerabilities Before They Become Yours: Cybersecurity with Mergers and Acquisitions

Reading time: 11 minutes

All digital assets, including network systems, data and the way it’s stored and protected, are the foundation of any successful business. That’s why they can pose a significant business risk. The dependence of modern businesses on their digital records raises their potential vulnerability to security breaches.

Every company has the potential to be a target of a data breach. Poor cyber hygiene can cost companies millions of dollars in damages, with the average cost of a data breach being $3.86 million. Sometimes a breach can compromise their integrity to the point of being irremediable.

With companies struggling to keep their security posture and maintain proper data privacy, it’s no surprise that when another company is involved, issues can arise. These issues won’t just disappear when the time comes for the merger or acquisition, they’ll just pollute the infrastructure created by the M&A deal.

Why are M&As so vulnerable?

The value of mergers and acquisitions hit $3.8 trillion worldwide last year, and that number is only expected to grow. While the concept of cybersecurity in mergers and acquisitions is nothing new, numerous high-level breaches and other recent events surrounding data loss during M&As have made it more important than ever to shed light on the importance of cybersecurity and due diligence. The quality and value of an M&A deal can be greatly impacted by the target’s lack of data privacy and security compliance.

Why are M&As so interesting to attackers?

Attackers are willing to exploit any situation that will allow them access to sensitive data, trade secrets, and the like. And criminals find the environment around M&As particularly sustaining; with more people involved, there’s a higher chance of human error and of overlooking some critical aspect of the network during security assessments. The acquirer and the target are vulnerable during the M&A process, with third party vendors often playing a part in attacks on banks, law companies, supply chain and others.

While discovering data breaches and other cyber threats to the target company can harm the deal, it doesn’t often lead to outright termination; delays and added costs are more likely. Yet that does affect the entire structure and outcome of the M&A deal, including the value the acquirer places on the target company. To avoid these consequences, acquirers need to be diligent, by analyzing cyber risks and the target’s vulnerabilities, evaluating the target’s data assets — and never missing a red flag.

Prevention is better than intervention

When the acquirer doesn’t conduct proper penetration testing and assessment of vulnerabilities, and isn’t sufficiently informed about the data privacy of the company they want to acquire, they can encounter a data breach somewhere down the line. One that will result in financial penalties and the loss of trust from their customers.

Reducing the chances of suffering a data breach during or post-acquisition will ensure that the process goes smoothly, with both sides content and the merger or acquisition well worth the investment of time, resources and effort.

It’s important to note that if the acquirer fails to perform a thorough cybersecurity assessment of the target company resulting in a data breach couple of months or even years after the acquisition, that doesn’t necessarily mean the target company had intentionally hidden the fact that they had been compromised by remote attackers. We witness, way too often, that companies are not even aware of a security breach in their infrastructure as many attacks don’t damage the external services of the company, they lay dormant before causing any “real” damage that can’t be ignored.

Data loss with mergers and acquisitions isn’t an issue for tech companies exclusively. We have seen hotel chains, restaurant chains and pharmaceutical companies getting breached and suffering cyber attacks for years.

For example, in the food and drinks industry, a company often has a “secret ingredient” that’s considered a trade secret. This intellectual property can be the reason behind cyber attacks on the company. When a company’s trade secret is exposed, the market value of the company decreases and in turn, greatly affects the value of an M&A deal.

Reducing the chances of suffering a data breach during or post-acquisition will ensure that the process goes smoothly, with both sides content and the merger or acquisition well worth the investment of time, resources and effort.

Companies that have suffered a data breach after M&A

The following companies were hacked or their data was leaked after an acquisition or merger.

2018

FitMetrix/MindBody (acquisition) — 113.5 million records
FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, exposed millions of user records because several of its servers were not equipped with a password. FitMetrix was acquired by gym and wellness scheduling service Mindbody in February 2018 for $15.3 million.

Starwood Group/Marriott (acquisition) — 500 million accounts
Marriott announced that cyber thieves had stolen data on approximately 500million customers. The breach occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.

MyfitnessPal/Under Armour (acquisition) — 150 million accounts
The Under Armour data breach affected an estimated 150 million users of its food and nutrition application, MyFitnessPal in March 2018. Payment information was not released, but user names, emails and encrypted passwords were affected. Shares of Under Armour dropped 3.8 percent.

Bongo International/FedEx (acquisition) — 119,000 files
In February 2018, FedEx admitted that it left customer records on an unsecured Amazon S3 server containing more than 119,000 files. The information stored in the server included numerous scanned documents from U.S. and international citizens, such as passports, drivers licenses and security identification. The data was the property of Bongo International, a company that helped US retailers sell to customers in other countries. Documents date back to 2008 and the server was updated until September 2015. FedEx acquired Bongo International in 2014, relaunching it in 2016 as FedEx Cross Border.

2017

Uber/Softbank (sold a stake) — 57 million customers
Uber disclosed that a breach had exposed the private information of 57 million customers. Uber failed to disclose the attack for a year by paying off the hackers, This breach is believed to have cost Uber in both reputation and money. At the time that the breach was announced, the company was in negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68 billion. By the time the deal closed in December, its valuation dropped to $48 billion.

TIO Networks/PayPal (acquisition) — 1.6 million customers
PayPal was left red-faced after it was forced to admit to a massive data breach right after they acquired TIO Networks in July 2017. PayPal paid $238 million to acquire the company. Hackers potentially stole personally identifiable information, and possibly financial data, for as many as 1.6 million of its customers.

Whole Foods/Amazon (acquisition) — 100 venues
Whole Foods disclosed its breach in September 2017 after Amazon had just acquired the Austin-based supermarket chain and had not merged their systems. A data breach involving credit card charges made at the grocer’s taprooms and full-service restaurants affected about 100 venues in its stores over a six-month period. The hack lasted from March 10 until Sept. 28 and included bars and restaurants in 30 states.

Multiple companies/Equifax (acquisition) — 143 million accounts
A giant cybersecurity breach compromised the personal information of as many as 143 million Americans — almost half the country. Cyber criminals accessed sensitive information including names, social security numbers, birth dates, addresses and drivers licenses. Additionally, credit card numbers for about 209,000 U.S. customers were exposed, as was “personal identifying information” on roughly 182,000 U.S. customers involved in credit report disputes. Residents in the U.K. and Canada were also impacted. The breach occurred between mid-May and July. They discovered the hack on July 29. This data breach is regarded as one of the worst ever, by its reach and the kind of information exposed to the public.

Women’s Health Care Group of PA (merger) — 300,000 patients
A hacker attack in May 2017 impacted hundreds of thousands of patients, ranking this as the second largest ransomware-related health data breach reported to federal regulators to date. Patients’ personal health information was at risk—the security flaw allowed limited access to patient information before it encrypted certain files. WHCGPA is comprised of 25 divisions, with 45 locations throughout Pennsylvania. They merged with NJ-based Regional Women’s Health Group, to form a new entity Axia Women’s Health.

2016

Yahoo/Verizon (merger) — 500 million + 3 billion accounts
Yahoo! reported two major data breaches of user account data to hackers during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014 and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016 and impacted all 3 billion of its user accounts. Both breaches are considered the largest discovered in the history of the Internet. The breaches impacted Verizon’s July 2016 plans to acquire Yahoo! for approximately $4.8 billion, resulting in a decrease of $350 million for the final price of the deal in June 2017.

Staminus/Stackpath (acquisition) — 50GBs data
Staminus fell victim to a massive hack in March 2016, with the company’s entire network knocked offline for more than 20 hours. Usernames, hashed passwords, customer record information including name and contact details, and payment card data were exposed. Nearly 50GBs of compromised data was published to the web.

2014

Viator/TripAdvisor (acquisition) — 1.4 million accounts
In 2014, the online travel site TripAdvisor acquired tour booking company Viator for $200 million. The transaction closed in mid-August 2014 and, approximately two weeks later, Viator announced that it was the victim of a data breach and that the personal details and credit card information for up to 1.4 million customers was likely compromised. TripAdvisor’s stock fell 5% percent after the news broke.

Court Ventures/Experian (acquisition) — 200 million customers
In March 2012, Experian purchased a legal data retrieval services company called Court Ventures. In 2014, the U.S. Secret Service notified Experian that Court Ventures was selling information from US Info Search, a reverse data lookup platform, to a Vietnamese national. This breach exposed the social security numbers of some 200 million people to potential criminal activity. In 2015, a Vietnamese man linked to the data breach was sentenced to 13 years in prison.

Importance of cybersecurity due diligence in M&As

Improving awareness around cybersecurity with mergers and acquisitions is crucial in understanding the risks that are involved with the transaction. Cybersecurity due diligence is of great benefit, not only to the buyer but to the seller as well. Appropriate cybersecurity plans need to be in place.

When it comes to an M&A deal, it’s important to comprehend the critical nature of vulnerabilities that the target company may have, and the potential extent of the damages caused by a possible data breach prior or post-acquisition.

The main cybersecurity risks include the state and effectiveness of the cybersecurity program of the target, the amount of data they possess, how that data is stored, the sensitivity of data and how it’s protected and the target’s potential attack surface.

To begin with the cybersecurity assessments, the acquirer needs to identify and analyze all digital assets, prior cyber threats and network infrastructure, as well as perform penetration testing and a DNS audit of the target company. The data collected during this analysis will reveal the target’s possible existing vulnerabilities, if there will be any future security concerns for the acquirer, and in the end, inform the structure and outcome of the M&A deal itself.

The target company and acquirer must constantly assess their cybersecurity during the entire process to ensure that both are not susceptible to any attacks. If a cyber risk is uncovered during the due diligence process, both companies need to engage in more thorough assessments and work on creating a cyber response plan program to mitigate any future attacks.

Final thoughts

Mergers and acquisitions continue to grow in popularity.. It’s on both the acquirer and the seller to be diligent prior, during and post-acquisition. We probably won’t see a decreasee in data breaches, so it’s important to be prepared for any risks that threaten the final outcome of the deal and its aftermath.


Start your security assessment by auditing your DNS zones today using SecurityTrails as the first step in order to secure your DNS servers, collect information, and try to reduce your DNS public information as much as possible. You can also start a trial for SurfaceBrowser to uncover external internet surface area of your company, or any other target company.