PayPal Subsidiary TIO Networks Suffers Breach Affecting 1.6 Million Users

Payments processor TIO Networks identified a security breach that potentially has compromised the personally identifiable information of 1.6 million people.

PayPal, which acquired TIO in July for more than $230 million, suspended the company’s operations Nov. 10 after identifying vulnerabilities in its infrastructure. A subsequent investigation found evidence of unauthorized access to locations on TIO’s network that were used to store personal information.

TIO processed more than $7 billion in consumer bill payments in 2016 and has more than 14 million consumer accounts. The company processes payments made by customers to 10,000 billers via self-service kiosks, walk-in stores, mobile apps and web solutions.

TIO is working with its billing partners to notify potentially affected customers and is offering them a free 12-month credit monitoring membership with Experian.

PayPal and TIO have not revealed what personal details the compromised data included or how the unauthorized access occurred. Since TIO’s services are down, customers will have to find alternative means to pay their bills in the meantime.

“The services will not be fully restored until we are confident in the security of the TIO systems and network,” the company said in an FAQ published on its website. “At this point, TIO cannot provide a timeline for restoring bill pay services, and continues to recommend that you contact your biller to identify alternative ways to pay your bills.”

Unlike Uber, which intentionally kept silent about a data breach that occurred in 2016 and affected 57 million riders and drivers, PayPal was quick to take action and notify the public as soon as the TIO breach was discovered. This likely will be appreciated by customers, but some experts think many smaller companies will remain reluctant to come forward and report similar incidents.

“In a sense, we are entering an era where only brands that are well-trusted will be able to talk about security openly, the way PayPal has here,” Jonathan Sander, CTO of STEALTHbits Technologies, said via email. “We all want companies to be honest about security, but at the same time, we are collectively likely to punish small firms that have breaches before gaining a foothold of trust in our minds. PayPal knows it will actually come out ahead in the reputation calculus for telling us about the problems at TIO. But would we have given that same credit to TIO themselves?”

International Effort Takes Down the Andromeda Botnet

The FBI and law enforcement agencies in Europe, assisted by Microsoft and other private sector partners, have managed to take down a large and long-running botnet known as Andromeda.

The botnet has been used as a distribution platform for other malware programs for years. According to Europol, Andromeda has been associated with more than 80 malware families and, over the past six months, has been detected on more than 1 million machines every month.

The botnet takeover happened Nov. 29 and involved sinkholing 1,500 domain names used by the malicious software. Over the course of 48 hours, more than 2 million unique IP addresses from 223 countries that had Andromeda malware installed tried to access the sinkholed domains, Europol said Monday in an announcement.

Law enforcement authorities also arrested a suspect in Belarus in connection with the botnet’s operation.

The effort to take down Andromeda started last year after the dismantling of another malware distribution network known as Avalanche that used the botnet. Insights gained during that investigation provided authorities with more information about Andromeda, leading to this new takedown.

“This is another example of international law enforcement working together with industry partners to tackle the most significant cybercriminals and the dedicated infrastructure they use to distribute malware on a global scale,” said Steven Wilson, the head of Europol’s European Cybercrime Centre. “The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.”

While command-and-control infrastructure is relatively easy to take down, given the right cooperation, completely killing off a botnet can take years. The Avalanche sinkhole, which has been running since November 2016, has been authorized for another year because more than 50 percent of systems remain infected.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin