PayPal uncovers TIO Networks data breach affecting 1.6 million users

In July 2017, PayPal completed its acquisition of TIO Networks for $238 million. TIO Networks, a multichannel payment processor, serves over 16 million consumer bill pay accounts and offers solutions for payment services to financially underserved consumers and consumer services.

Fast-forward to Nov. 10, 2017, when PayPal announced the suspension of TIO Networks’ operations due to the discovery of a security vulnerability on the TIO platform. During due diligence review, it was discovered that TIO’s data security program didn’t adhere to PayPal’s information security standards. For this reason, the platform hasn’t yet been integrated into PayPal’s operations.

Luckily for PayPal users, this means they aren’t affected.

What does this mean for third-party security?

We can confidently say that PayPal has applied the appropriate cyber security measures throughout the acquisition process. Before integration, it conducted a thorough investigation to ensure that TIO’s platform was secure and updated to adhere to PayPal security standards. This investigation is what uncovered the compromise.

Thankfully, PayPal was attentively crossing its t’s and dotting its i’s to confirm that everything was secure before moving forward. Otherwise, it’s very likely this breach could have turned into a much more widespread issue.

While PayPal was following best practices to maintain third-party software security measures, the same cannot be said about TIO’s software supply chain.

What does this mean for security in the software supply chain?

TIO’s breach is a result of attackers gaining unauthorized access to up to 1.6 million customers’ personally identifiable information. Though the PayPal subsidiary has yet to contact customers, billers, and retailers affected by the leak, it’s working to do so as quickly as possible.

But let’s look a bit deeper into how TIO could have hardened its software security stance.

While the specific vulnerability that allowed for the TIO Networks breach hasn’t been publicly disclosed, one area in which the company could have strengthened its security measures is network security testing. This type of testing includes both manual options (such as penetration testing) and tool-based options that conduct automated scans and provide accurate, actionable guidance.