PayPal Holdings revealed on Dec. 1 that its TIO Networks payment processing service was the victim of a data breach, impacting 1.6 million customers.
Paypal acquired TIO in July 2017 for $238 million to help bolster its electronic payment portfolio. It's not clear at this point, if TIO was breached prior to the Paypal acquisition. What is known is that Paypal became suspicious as early as Nov. 10,.
"As announced on November 10, PayPal suspended the operations of TIO to protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform," Paypla stated. "This ongoing investigation has identified evidence of unauthorized access to TIO's network, including locations that stored personal information of some of TIO's customers and customers of TIO billers."
Paypal noted in its disclosure that the TIO Networks systems are separate from the PayPal network and there is no direct impact to PayPal's users. PayPal added that TIO is now in the process of contacting impacted customers and will be offering free credit monitoring and identity protection services from Experian.
"We are committed to addressing this situation as quickly and efficiently as possible, in a manner that protects customers and their data," TIO Networks stated. "In the meantime, all affected customers are strongly encouraged to take advantage of the credit monitoring services."
The TIO Networks service itself is still offline and PayPal has stated that services will not resume until confidence in the security of the TIO platform has been restored.
"At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills," TIO stated in a Frequently Asked Questions (FAQ) page about the data breach.
PayPal isn't the first organization this year to buy a company and find out post-close that there was a data breach. On Sept. 18, security firm Avast publicly disclosed that Piriform and its popular CCleaner tool were the victims of a data breach. The Piriform breach occurred prior to Avast acquiring Pirifom in July 2017, though neither company was apparently aware of the breach until September.
"I don't have inside knowledge here, but based on the telemetry from the outside it seems they (PayPal) found this out after closing their deal to acquire TIO," Jonathan Sander, CTO, STEALTHbits Technologies told eWEEK. "PayPal did all the right things once they knew about the breach it seems, but one thing they maybe could have done was bring security to the table during the acquisition process itself."
Sander added that corporate board rooms are learning lessons slowly about how bad security posture translates to reputation damage and ultimately impacts the bottom line.
"One area that has yet to incorporate security fully is the corporate development specialists doing M&A work—and that's most places, not specifically PayPal," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.