Several months after acquiring TIO Networks in July of this year, PayPal suspended the acquisition’s operations after it discovered security vulnerabilities on the TIO platform and determined that the TIO data security program didn’t meet PayPal’s standards. PayPal has just announced an update on the suspension of operations – including news that information on over 1 million customers may have been compromised.

Investigation and Breach Details

TIO Networks is a publicly traded payment processor who serves customers who pay utility and cable bills in cash at kiosks and walk-in locations. Many of its customers don’t have bank accounts and rely on the service to pay their bills.

PayPal provided the following details regarding the investigation and breach in its press release:

  • After suspension of operations, an ongoing investigation identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.
  • A review of TIO’s network identified a potential compromise of personally identifiable information for approximately 1.6 million customers.
  • The PayPal platform was not impacted because the TIO systems are completely separate from the PayPal network.
  • TIO has begun working with the companies it services to notify potentially affected individuals.
  • PayPal is working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.

A frequently asked questions document on the TIO website said that TIO cannot provide a timeline for restoring bill pay services, and recommended that customers contact their biller to identify alternative ways to pay bills.

The Importance of Due Diligence

This episode highlights the importance of an acquirer performing a due diligence review of the target, especially where data security processes and policies are concerned. The target company’s IT vulnerabilities ultimately become the acquiring company’s vulnerabilities.

In this case, PayPal launched an internal investigation into the newly-acquired firm’s business and hired a third-party cyber-forensics company to review the TIO platform after suspending operations, revealing the data breach.

How to Manage Third-Party Cyber Risks
The Future of Work and Security: 5 Predictions for 2018
Cyber Security in 5 Years: The Top Experts Speak
Cyber Security Predictions for 2018: The Top Experts Speak
Insider Threat Detection