When a threat actor sees a press release announcing a major corporate acquisition, do they see it as an opportunity?
From a hacker’s perspective, an M&A deal can be a moment of strategic weakness. The acquiring company is distracted, the target company might be running outdated or underfunded systems, and both sides are juggling multiple priorities.
From the outside, it looks like a celebration of growth. From the inside, it’s often an operational tangle. And within that tangle there are usually gaps waiting to be exploited.
According to a 2024 report by Forescout Technologies, 62% of organisations believe cybersecurity risk increases significantly during M&A. But only a minority prioritise cyber due diligence early in the process.
Integration of systems is frequently rushed, patching cycles are delayed, and identity management gets messy. Threat actors know this. These transitions stretch internal teams thin; and when a team is stretched, opportunities appear.
One of the most notorious examples of an acquisition-related security failure is the Marriott-Starwood hotel breach way back in 2016. Marriott acquired Starwood, unaware that its systems had already been compromised. The breach wasn’t discovered until two years later – by which time attackers had stolen the records of up to 500 million guests. Marriott was fined £18.4 million by the UK’s Information Commissioner’s Office in 2020 for failing to adequately protect this data.
Even in companies with strong operational resilience, open-source software often hides vulnerabilities. And in M&A, where time pressures are high and codebases get integrated quickly, this becomes a major blind spot.
Synopsys’ 2024 Open Source Security and Risk Analysis (OSSRA) report revealed that 96% of codebases reviewed during M&A audits contained open-source components with known, unpatched vulnerabilities. Even more worrying, 85% of those had licence compliance issues – exposing acquirers to both security and legal risk.
For hackers, these flaws are golden. There’s no need to engineer zero-days when you can find an outdated Apache library or unpatched log4j still running in production. These components often sit quietly in legacy apps or microservices no one has reviewed in months – and during an acquisition, they’re even less likely to be noticed.
As well as combining tech systems, M&As blend teams, offices, suppliers, and infrastructure. As all of those systems converge, it’s easy for old accounts to be forgotten and permissions to be duplicated; and some employees retain access to data or systems they no longer need.
This post-acquisition sprawl makes it incredibly easy for threat actors to escalate privileges or exploit insider routes. In a December 2024 report, the Financial Times cited Financial Conduct Authority (FCA) data showing that 30.3% of UK takeover bids exhibited suspicious trading activity ahead of announcements in 2023. The FCA attributed this figure to signs of suspicious market activity and red flags for insider‐trading around takeover announcements.
That’s just one symptom of a broader issue: security teams can’t monitor what they can’t map.
Academic research supports this. A 2023 study by the University of Melbourne and Babson College suggested that firms with stronger cyber hygiene are more likely to complete acquisitions successfully – and also more likely to outperform financially post-deal. The paper found that robust cyber governance reduces deal withdrawals and leads to fewer post-acquisition write-downs.
Treat M&A not as a routine IT exercise, but as a red-alert moment. Cyber due diligence should start alongside legal and financial reviews – not weeks later.
Audit open-source software early, and document access controls before integrating systems. Write cyber indemnity clauses into the deal contracts, and have remediation roadmaps in place for any vulnerabilities.
Because an M&A deal can look like an open door. All the ingredients are there: systems in flux, rushed timelines, distracted teams, and security low down on the priority list. But when security is sidelined, attackers walk right in – and sometimes, they don’t leave for years.
Join the newsletter to receive the latest updates in your inbox.
How do you get your first job in cybersecurity? Break things. Because cultivating your hacker mindset can help you differentiate yourself in a competitive market for entry-level infosec roles.
Read More
Credential leaks are escalating, powering stealthy, devastating attacks. Learn why passwords are no longer enough – and how passwordless authentication can help.
Read More
Discover why noise, poor collaboration, and cultural inertia are slowing remediation, and how smarter prioritisation and automation can help
Read More