Researcher warns of cyber-threat to mergers and acquisitions

Multi-million dollar exchanges will surely attract cyber-criminals
Multi-million dollar exchanges will surely attract cyber-criminals

A FireEye report has warned of cyber-criminals targeting merger and acquisitions (M&A) deals.

The report, written by security researcher Holly Ridgeway, notes that last year set new records for M&A values with JP Morgan putting the number in the trillions, a figure sure to attract the cyber-underworld..

The author highlights several ways in which this might happen such as exploiting financial information generated during process of a merger, which could be anything including market reports, press releases or internal communications. All of these can give hackers or those leveraging hacking the opportunity to gain an upper hand in financial deals.  

The report cites one group, FIN4, which, during 2013 and 2014, lured individuals in M&As into giving away sensitive details, documents and credentials about the deal they were undertaking.  

In the last couple of years there have been several high profile cases of cyber-criminals using stolen financial information, not to outright rob, but to come out on top in financial deals.

Perhaps the most notable was the 2014 JP Morgan breach, which resulted in the theft of details from 83 million customers.

The data stolen from the breach would then be used to call those customers and con them into buying worthless stocks. Once enough people had bought that particular stock, and its price had risen, the scammers would then dump the stock, crashing their victims investments and making a tidy profit.

The report further states that cyber-crime might be used by either side of an M&A deal to try and gain the upper hand in negotiations. The report points to several incidents involving Chinese APT groups, who have been suspected of doing the work of Chinese companies then involved in financial deals. 

Perhaps the most obvious side effect in terms of cyber-crime would be the massively enlarged attack space that comes with an amalgamation of two companies. One company may acquire another in good faith, only to find later down the line that that company had been breached several months before and hackers had been sitting on its network. In fact the list of companies breached through a compromised partner gets longer every day.

To this end, cyber-security due diligence is key, concluded the report. “Cyber security risk is not science fiction, even though it has essentially been treated as science fiction by being left out of M&A processes. Acquiring companies and due diligence practitioners must now catch up to the reality of the costs and risks that cyber-security issues create”.