PCM Inc. of California, one of the larger cloud solution providers in the United States, experienced a breach of their client file sharing and email systems in May. Two things make this story particularly interesting: the fact that Office 365 accounts were compromised, and the fact that this happened in the midst of an announcement of acquisition by enterprise B2B IT company Insight Enterprises.
The PCM breach
The hack is somewhat similar to the one that hit cloud solution provider Wipro in April, in that gift card fraud appeared to be the ultimate aim. It is still unclear exactly how the breach happened or who was responsible, but Office 365 administrative credentials (which provide access to email and file sharing systems of the company’s clients) were the target.
According to the cloud solution provider’s official statement on the matter, “minimal” customer information from the cloud solution provider was exposed and affected customers were contacted directly by the company. The company maintains that their internal investigation has revealed minimal impact to PCM customers. Robert Prigge, President of Jumio, explained why “minimal to no impact” could very well be underselling the extent of the hack:
“Having your personal email hacked is one thing (not to understate the plight of identity theft victims), but having the administrative credentials stolen from PCM – the same credentials they use to manage client accounts within Office 365 – is next level.
After all, if these hackers can access the Office 365 accounts of PCM’s customers, they can unlock a lot of personal data and sensitive business documents. Think about it – if a hacker has access to your Office 365 account, they can reset your password and lock you out. What’s worse, they may use that same email address as their username for other online accounts. So, if you have 100 employees, and those employees each have just 10 accounts connected to their Office 365 email addresses, that’s 1,000 accounts associated with your company that the hackers can potentially now monitor and control. Yikes!”
Though there is no concrete information about the identity of the hackers at this time, there is speculation that the notorious Chinese group “Cloud Hopper” may be involved given the patterns of attack. Krebs On Security reported last week that the group had been very active as of late, targeting about a dozen major technology firms and cloud solution providers including Rackspace and Cognizant. The group has been active since 2014, when it engaged in several hacks of telecommunications giant Ericsson. As Jonathan Oliveira, Cyber Threat Intelligence Analyst at Centripetal observed:
“As a bystander, it does seem possible that both the Wipro and PCM compromises are connected. As for the connection to Cloud Hopper, it is not surprising that Chinese groups are attacking the ISPs and cloud providers. The growing trend of targeting employees who work at cloud providers makes plenty of sense because why would an attacking group want to waste time and resources brute forcing when employees statistically offer the best avenue of approach into a network? These employees are increasingly becoming high value targets and, in most cases, do not realize how valuable they are to an attacker. Though money on expensive systems and surveillance means nothing, if an employee will fall for a phishing email.”
The Insight Enterprises merger
PCM announced the breach just days after Insight Enterprises announced that they would be acquiring the cloud solution provider for $35 per share. PCM shares were up 42% the Monday morning after the announcement.
Insight has made no public comment on the PCM breach, and it is unclear whether the company was made aware of it (or if PCM itself was aware of it) prior to the merger agreement.
The transaction is not complete at this time; it has to go through standard approvals by shareholders and regulators, which will likely take until sometime in late 2019 to complete. Given all this, PCM would naturally be in a hurry to minimize reports of how many customers were potentially impacted. With these types of breaches, the extent of the damage often grows as an internal investigation is conducted, and it will be interesting to see what the results of that will be and whether or not it impacts shareholder sentiment toward the merger.
Forescout’s relevant cloud solution provider study
Interestingly enough, a cybersecurity study of post-merger organizations that is very relevant to this situation was released just a few days after the PCM breach news broke. The study, conducted by network security firm Forescout of California, revealed that the majority of merged companies both experienced a cybersecurity event that put the deal in jeopardy and experienced “buyer’s remorse” post-merger due to a cyber issue.
Entitled “The Role of Cybersecurity in Mergers & Acquisitions Diligence”, the study included over 2,700 companies in seven of the world’s largest national economies. All of these companies had been through a merger or acquisition, and respondents were split roughly in half between IT decision makers and business decision makers in the senior management ranks. 53% said they experienced a cybersecurity issue involving the other company during the merger process that was bad enough to force reconsideration of the deal, and 65% said that they experienced regret post-merger due to cybersecurity issues with the other company.
There are two main avenues of concern in terms of cybersecurity posture and policy: the likelihood of human error, and the likelihood of poorly-secured Internet of Things devices opening up the doors to a cyber attack. All of this means that risk has to be tracked in terms of individual devices that have connections to the company network, an obviously complex and expensive task that many companies struggle with due to a lack of inventory of smart and personal devices in use on the premises. Rather than attempting to propose a comprehensive solution to this thorny (and no doubt highly individualized) issue, Forescout suggests that strong clawback clauses should be standard. Of course, even the best clause does not repair the damage once malware has been installed or data has been exfiltrated.
The survey also asked companies that are doing cybersecurity due diligence what they are focusing on in their evaluations. Unsurprisingly, financial statements are the #1 item. These are followed by the target company’s history of cybersecurity incidents, competitive positioning, outstanding litigation and customer satisfaction scores. In last place sits cyber risk scores. It is also important to note that nearly 1/3 of these companies are waiting until the diligence & evaluation phase or the integration phase (the final phase) to begin cybersecurity evaluation. Only 38% are including cybersecurity evaluation in the initial acquisition strategy.
Additionally, only 36% of all the companies responded that they feel they have adequate time to adequately review the target company’s cybersecurity posture, and only 37% felt that their IT teams were fully up to the task.
Companies seem to have a good level of awareness of where the points of vulnerability are, but for some reason are still lagging behind in actually getting to them during their inspections. For example, 72% of the respondents said that Internet of Things devices were a primary concern, but only 57% were actually screening them and 48% said that at least some of them were likely to be missed. 53% of respondents also said that they find devices that were unaccounted for after the merger is complete.
Of that 65% of companies that expressed post-merger regrets, the most common lament was a lack of time and thoroughness in performing the cyber assessment. Companies that were interviewed commonly stated that they should have allocated their IT staff more time to do a more complete evaluation of the target company’s cyber policies and status.
Insight Enterprises was not interviewed for this study, but they would very likely be among that 65% if asked right now.