In July 2017, PayPal completed its acquisition of TIO Networks for $238 million. TIO Networks, a multichannel payment processor, serves over 16 million consumer bill pay accounts and offers solutions for payment services to financially underserved consumers and consumer services.
Fast-forward to Nov. 10, 2017, when PayPal announced the suspension of TIO Networks’ operations due to the discovery of a security vulnerability on the TIO platform. During due diligence review, it was discovered that TIO’s data security program didn’t adhere to PayPal’s information security standards. For this reason, the platform hasn’t yet been integrated into PayPal’s operations.
Luckily for PayPal users, this means they aren’t affected.
We can confidently say that PayPal has applied the appropriate cyber security measures throughout the acquisition process. Before integration, it conducted a thorough investigation to ensure that TIO’s platform was secure and updated to adhere to PayPal security standards. This investigation is what uncovered the compromise.
Thankfully, PayPal was attentively crossing its t’s and dotting its i’s to confirm that everything was secure before moving forward. Otherwise, it’s very likely this breach could have turned into a much more widespread issue.
While PayPal was following best practices to maintain third-party software security measures, the same cannot be said about TIO’s software supply chain.
TIO’s breach is a result of attackers gaining unauthorized access to up to 1.6 million customers’ personally identifiable information. Though the PayPal subsidiary has yet to contact customers, billers, and retailers affected by the leak, it’s working to do so as quickly as possible.
But let’s look a bit deeper into how TIO could have hardened its software security stance.
While the specific vulnerability that allowed for the TIO Networks breach hasn’t been publicly disclosed, one area in which the company could have strengthened its security measures is network security testing. This type of testing includes both manual options (such as penetration testing) and tool-based options that conduct automated scans and provide accurate, actionable guidance.
While securing the software supply chain is of critical importance to firms of all shapes and sizes in all industries, there is no one-size-fits-all solution. That’s why your best strategy is a comprehensive one. From products, professional services, and security testing services to training and program design and development, the Black Duck portfolio helps organizations infuse security and quality into their operations, without negatively affecting velocity.