How malware can sneak in through M&A

Companies that handle sensitive customer data have even more to worry about when making an acquisition. Not only do they have to be sure the acquired company has good security, but they can't let their guard down even after the acquisition closes.

This was an issue for Prague-based security company Avast, which acquired Piriform, a small London-based firm, best known for its widely used CCleaner tool. Unbeknownst to both Piriform and Avast, the former’s servers had been hacked a few months earlier, and the hackers were waiting patiently for the best opportunity to strike.

the_lightwriter - stock.adobe.com

It's a security issue that could just as easily affect a payments company — and in some cases, already has. In 2014, identity theft protection provider Lifelock had to pull its recently acquired Lemon wallet app off the market after it determined it was not compliant with the Payment Card Industry data security standards. In December of last year, PayPal had to change its plans after it was found that personal and financial data of up to 1.6 million customers of TIO Networks, a Canadian company PayPal had recently acquired, had been exposed.

The Avast incident reentered the conversation when the company's CTO, Ondrej Vlcek, brought new details to light at last week's RSA conference in San Francisco. What's striking is that the attackers chose to remain dormant until after the sale was completed.

"The attackers were in the Piriform network five months before they snuck the malicious payload into the CCleaner build. Avast acquired Piriform on July 18, 2017 and the first CCleaner build with the malicious payload appeared on August 2, 2017," Vlcek said in a blog post that complemented his presentation. "It’s interesting it took them so long before they initiated their attack on CCleaner users."

When a company is acquired, the buying company is supposed to perform due diligence and check things like the value of the company, the amount of bad debt and whether regulators would approve of the acquisition. But the security risks the acquired company is exposed to are too often ignored.

"M&A due diligence has to go beyond just legal and financial matters,” Vlcek wrote. "Companies need to strongly focus on cybersecurity, and for us this has now become one of the key areas that require attention during an acquisition process. Second, the supply chain hasn’t been a key priority for businesses, but this needs to change. Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them."

The GDPR, the EU’s data protection regulation that will come into force next month, is probably going to make this even more important, as companies will have an obligation to proactively account for the integrity and security of customer data.

In any acquisition, the buyer doesn’t just buy a brand, a product, assets and a customer base; it also acquires the company’s security posture. And one would better do a very good job at investigating what that looks like.