PayPal Holdings Inc. has revealed that TIO Networks Inc., a financial services company that facilitates bill payments in offline locations it acquired earlier this year, was hacked and private data from 1.6 million customers was compromised.

In a statement, PayPal said that its investigation had “identified evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers.” It’s not clear when the hacking took place or exactly what specific details were obtained, but notably PayPal is taking the issue seriously. It said it had entirely suspended TIO’s operations as of Nov. 10 “to protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform.”

The decision by PayPal to suspend the operations of TIO did not come cheaply. The acquisition, announced in February and finalized in July, cost PayPal $233 million.

Commenting on the hack, Stephen Thomas from Cyberbit Ltd., told SiliconANGLE that the announcement of the breach and loss of over 1.6 million customer records from TIO “highlights the need for additional due diligence” in the acquisition process.

“For far too long the state of security has only become a consideration post acquisition, but exposures such as this and the Yahoo breach revealed after the Verizon acquisition, should be the writing on the wall that this needs to change,” Thomas said. “The valuation of any acquisition should take into account the state of security and potential impact of addressing a breach or remediating the existing vulnerabilities.”

Discussing specifically the implications of security risks in acquisitions, Thomas added that “the risks here shouldn’t be treated separately than any other consideration during the due diligence process and a lack of transparency should be a red flag to the acquisition team. Continuing the same behavior and treating security as an afterthought will continue to be a costly mistake.”

Photo: leweb3/Flickr