Securing Mergers & Acquisitions and Supply Chain – A Cybersecurity Due Diligence Perspective

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print
Share on whatsapp

Merger and Acquisition Woes

On October 30, 2020 it was reported that a multinational hospitality group was fined £18.4 million by UK’s data privacy watchdog. The Information Commissioner’s Office (ICO) initially planned to issue a fine to the tune of £99 million. This has now been substantially brought down. An estimated 339 million guest records have been affected following the cyber- attack.The Breach: The attack dates back to 2014 and remained undetected until 2018. The attack was on the systems of a company that the hospitality group had acquired in 2016. Personal data including names, email addresses, phone numbers, passport numbers, loyalty programme membership details were involved in the breach.ICO Finding The ICO’s investigation found that the hospitality group failed to put appropriate technical and organisational measures to protect personal data in accordance with the General Data Protection Regulation (GDPR). The penalty imposed on the hospitality group relates to breach post 25 May 2018, after the GDPR came into effect, and hence the reduction in fine. More about the breach can be accessed here

Supply Chain Risks

Misconfigured S3 continues to be the biggest challenge:
Last week there were reports that a hotel reservation platform used by some of the leading hotel booking websites left data belonging to millions of guests exposed on a misconfigured AWS S3 bucket. The hotel reservation platform allows hotels to automate their availability on online booking sites. Reports suggest that details of guests were stored by this platform without any protection in place, putting millions of people at risk. To learn more about cloud misconfiguration read our blog here

The impact:
The report also suggests that credit card details of 100,000s of people have been exposed. This is also a potential breach of GDPR and PCI DSS requirements. The S3 bucket that was misconfigured contained data that appeared to originate from some of the most popular hotel booking websites.

Importance of Due diligence

Enterprises both large and small rely on technology to conduct business, store data, take payments, and facilitate business operations. As the reliance on technology increases, so does the threat surface that an enterprise will be exposed to.

Identifying Risks
Due diligence is critical to identify and remediate any risks before an M&A transaction is finalized, or before onboarding a new vendor. While operations, sales, finance, and legal due diligence are mostly relied upon, it is important for organizations to understand that cybersecurity due diligence represents a key component of the entire process. A detailed cybersecurity due diligence is critical to identify any critical weaknesses in security posture and risks that may prove to be a deal breaker.

What went wrong?
In the case of the hospitality group and the booking websites, it appears that adequate security due diligence was not done prior to the acquisition and vendor onboarding. The acquiring company is going to have to pay fines for events that happened before they had responsibility for the acquired company.

How could it have been avoided?
Any risks that are identified as part of the due-diligence should be reported and should form part of the conditions precedent and conditions subsequent to deal closure. Customer’s should constantly monitor the security posture of their vendors. This becomes more important than ever in the cloud. The security requirements or the security maturity that a customer expects from their vendors should be articulated well in their contracts. Vendors should be audited regularly to check their compliance with security requirements.

Enterprises should understand that the cyber risks expose them not only to financial loss and regulatory supervision but also reputational loss. For enterprises that have a B2C business model, reputation and brand value is everything. If reputation is lost, everything is lost!!!

About C3M Cloud Control

C3M is a Cloud Security management platform that gives users CSPM, IAM and Cloud SOAR capabilities to:

Related Articles