Cybercrime and GDPR within the M&A market

By Jeroen Kruithof, Virtual Vaults

Cybercrime is a rapidly growing threat that is impacting more and more companies. It is generally known that cybercrime can cause reputational damage due to the loss of intellectual property. On the other hand, cybercrime can cause personal data breaches, which could result in serious fines for the company.

Cybercriminals can attack a variety of vulnerabilities of a company. The most vulnerable department to cybercrime is the support desk, who need to know exactly which information they may and may not tell their customers. Companies that operate with a support desk have a high need to be compliant in order to protect data. Strict policies and processes need to be written and implemented, for this company specifically, by a Data Protection Officer, to make sure the company will be, and will stay, compliant.

Companies that are operating in the M&A market are a highly interesting target for cybercriminals, since this market contains a lot of valuable data. Since 2013 FireEye, a cybersecurity company, has been tracking a group of hackers that are targeting the email accounts of a large number of individuals. The hackers are able to get access to the confidential information of more than 100 companies, including publicly traded companies or advisory firms that provide M&A services. They are focused on compromising the accounts of individuals who possess non-public information of M&A deals, mostly in the healthcare and pharmaceutical industries. Those industries were targeted because the stocks of these industries can move dramatically due to new clinical trial results, regulatory decisions, or safety and legal issues.

They mainly target top executives, legal counsel, investment bankers and corporate finance advisors. They got access to insider information and this information enabled them to make or break stock prices of public companies, and they made use of these trading advantages.

These hackers are of a different kind. They are native English speakers with knowledge of the investment world and the inner workings of public companies. This made their spear phishing emails seem convincing and legitimate.

They also operate in an unusual way. They are solely focused on capturing usernames and passwords, which allow them to view private email correspondence. Sometimes they view email correspondences for a couple of weeks before they attack. With the knowledge they have gathered, they send out convincing emails to other advisors. The emails are highly tailored that usually play on the recipient’s knowledge or interest in a pending deal and often contain information that is not yet made public. The email could contain something like: ‘John, is it okay to disclose this Excel file to our buyer?’ Such an email seems legit to the recipient, since it is from a colleague who is involved in the same deal. In this case, John receives an Excel file, attached to the email he received from his colleague. When opening the attachment, the recipient’s login details are requested. If these details are entered, the hackers are able to enter the new victim’s account and the same story will be repeated for this new victim.

The hackers operated in a smart way. Most of the documents they sent to new victims appeared to be stolen from actual deal discussions. Most were still in the early due diligence phases. In some cases, more organisations involved in a specific transaction were hacked. In fact, more than five organisations, including all their advisors, were involved. In this specific transaction, 20 organisations in total were hacked, including all the legal, tax and corporate finance parties. This, of course, led to major advantages for the hackers, since they could view the correspondence between the different parties, view non-public documents and act upon this information.

The hackers invented ways to evade detection. They created a script that automatically deletes emails that contain words such as ‘virus’, ‘hacked’, ‘phish’, ‘malware’, etc. So, even when a targeted company is aware of the hack and tries to warn other parties, the emails will never arrive.

This year, on 25 May, the GDPR (General Data Protection Regulation) will come into force. The GDPR will be the new data protection landscape of the EU. It will replace the current directive and will be directly applicable in all member states of the EU, without the need for implementing national legislation.

The GDPR will influence one’s daily work information. First, there will need to be stricter control over where personal data is stored and who has access to it. Secondly, there will need to be better data governance tools for auditing and reporting on who has access to this kind of information. Thirdly, improved data policies will be needed, in order to provide control.

Many companies do not yet know that these steps need to be taken. Gartner predicted that by the end of 2018, 50% of all the companies will not be compliant. Research by PwC shows that 32% of US companies want to reduce their presence in the EU and 26% even responded that they will exit the EU.

In order to defend your data and to reduce the risk of being hacked, the following steps can be taken:

  • 2FA (two factor authentication): 2FA is the use of an extra device, like a mobile phone, in order to login to one’s account
  • Data encryption: data at rest and moving both could be encrypted
  • Smart identity monitoring: actively monitor login behaviour and act when necessary

An important step that would need to be taken in order to become compliant and reduce hacking risks is getting certified according to international security standards, such as the ISO:27001 and the SOC 2. Certifications are important in order to make sure processes and policies are up to date. A more drastic way of checking whether data is stored safely is hiring a hacker who will look into your company’s weak spots.

When these steps are taken, your company will be closer to being 100% compliant to the new GDPR rules and regulations and your company will also be less vulnerable to cybercrime!

Be safe.

Jeroen Kruithof

Jeroen Kruithof

Virtual Vaults
E: This email address is being protected from spambots. You need JavaScript enabled to view it.; W:

Published: March 2018 l Photo: Africa Studio -

Ggi Logo 150x109px

GGI Global Alliance AG

Sihlbruggstrasse 140
6340 Baar


T: +41 41 7252500
F: +41 41 7252501
This email address is being protected from spambots. You need JavaScript enabled to view it.