It has been reported that Thinkful, an online education site for developers, has confirmed a data breach, just days after it confirmed it would be acquired. The email to users said that although the company said it’s seen “no evidence” of any unauthorised access to user’s account data, it did not rule out any improper access to user data.
Thinkful Resets All User Passwords After Security Breachhttps://t.co/zJmat9N8pn
— BleepingComputer (@BleepinComputer) September 19, 2019
This incident highlights the importance of due diligence during mergers and acquisitions in modern time. I’m hopeful that Thinkful would have disclosed the information if they were aware of it, and I would also hope that Chegg, given their recent experience with a breach, would have this addressed contractually.
Obviously, the reputational damage and cost of dealing with the breach can have a significant impact on valuation or could kill the deal altogether. This is why it is so important to take cybersecurity seriously, especially if you’re considering an acquisition or looking to be acquired.
In many cases, security incidents like this, where credentials are misused, are due to someone giving them up in a phishing attack. That\’s why you want to ensure your users are well trained to spot and report them.
Compromising small startups in the weeks and months following an acquisition can lead to huge payoffs for attackers, as they gain footholds in soft targets before they\’re able to adopt to possibly stronger security postures from acquiring companies. That\’s just one reason why it\’s important to get handle on a company\’s full security posture before making an acquisition decision.