· Michael Avdeev · Insights  · 5 min read

Verizon Cut $350M from Yahoo. What’s Hiding in Your Target?

Last year I watched a deal fall apart.

Not a huge one—mid-market SaaS acquisition. The target company had passed their SOC 2 audit. Security questionnaire looked fine. Everyone was ready to close.

Then someone ran a data discovery scan on their file shares. Found 2.3 million customer records sitting in a “legacy exports” folder that nobody had touched in four years. SSNs. Credit cards. The works.

Remediation estimate: $2M minimum. The acquirer walked.

The target company’s CEO told me later: “We genuinely didn’t know it was there.” I believe him. That’s the problem.

The Numbers That Should Scare You

According to a Forescout survey, 73% of respondents said a company with an undisclosed data breach is an immediate deal breaker. Even more telling: 53% of organizations have hit a cybersecurity issue during M&A due diligence that jeopardized the deal.

Hidden data equals hidden liability. And in today’s regulatory environment, that liability follows the acquirer.

You buy their data. You buy their problems.

Where Traditional Due Diligence Fails

M&A due diligence focuses on financials, legal exposure, operational risk. Cybersecurity reviews typically check policies, incident history, maybe security architecture.

What’s missing? A real inventory of where sensitive data actually lives.

Not where the target thinks it lives. Where it actually lives.

This matters because:

  • Regulatory liability transfers — GDPR, CCPA, HIPAA obligations follow the data, not the original collector
  • Breach notification clocks start at discovery — When you acquire a company, you inherit their undiscovered breaches. The 72-hour GDPR notification window starts when you find them.
  • Valuation adjustments rarely account for data risk — A company with 50TB of unclassified data in legacy systems carries risk that doesn’t show up on any balance sheet

The Usual Suspects

Every acquisition has data repositories that fall outside standard security reviews. I’ve seen it dozens of times:

Legacy systems and backups. Archive servers, old backup tapes, decommissioned systems. Years of accumulated sensitive data. Nobody actively manages them. Nobody knows what’s in them.

Dev and test environments. Production data copied for “testing” has a habit of staying forever. SSNs, credit cards, customer PII—all sitting in systems with relaxed access controls.

Shadow IT. Marketing has a Dropbox folder with customer lists. Sales keeps prospect data in personal Google Drives. None of it appears in the official inventory.

Third-party integrations. Data shared with vendors, partners, SaaS platforms. The target’s data might be sitting in systems they don’t even control.

A CISO at a PE firm told me: “We assume every target has at least one data graveyard they’ve forgotten about. We’re usually right.”

The Yahoo Lesson

In 2017, Verizon cut $350 million from Yahoo’s acquisition price after discovering two massive breaches affecting 3 billion accounts. The breaches had occurred years earlier. Nobody disclosed them during initial due diligence.

That wasn’t an anomaly. It was a preview.

Today, acquirers face:

  • $4.44 million average breach cost (IBM 2025)
  • Up to 4% of global revenue in GDPR fines
  • Class action litigation extending years past close
  • Reputational damage affecting the combined entity

The deal might still make sense. But you need to price the risk accurately. You can’t price what you can’t see.

Three Questions Before Signing

1. Where does sensitive data actually live?

Not the spreadsheet-based inventory maintained by IT. The real answer. Across all file shares, cloud storage, databases, backups, endpoints.

This requires automated scanning. Not interviews.

2. What types of sensitive data exist?

PII, PHI, PCI, credentials, intellectual property—each carries different regulatory obligations. A healthcare target might have perfect HIPAA controls for clinical systems but PHI scattered across email archives and shared drives.

3. What’s the remediation cost?

Once you know what exists and where, you can estimate the real cost of bringing governance up to your standards. That number becomes a negotiation point—or a deal breaker.

The 72-Hour Problem

Under GDPR, you have 72 hours to report qualifying breaches after becoming aware. When you acquire a company, “awareness” includes what you discover during integration.

Find a three-year-old breach in a newly acquired subsidiary? The clock doesn’t reset. You have 72 hours to notify regulators—and explain why the target’s controls failed.

Pre-acquisition scanning turns this from crisis management into a managed process. You know what you’re inheriting before you inherit it.

How to Actually Do This

The challenge with pre-acquisition scanning is access. You can’t deploy enterprise DSPM platforms in a target’s environment during due diligence. Six-month implementations don’t work on deal timelines.

What does work:

  • Request a data discovery scan as part of due diligence — Make it a condition of the LOI
  • Use containerized scanning — Docker-based tools that run locally, no SaaS dependencies, no data leaving the target’s network
  • Focus on high-risk repositories first — File shares, cloud storage, backups yield the most insight fastest

The goal isn’t perfect visibility before signing. It’s enough visibility to price the risk—or walk away if the exposure is unacceptable.

Scan in Days, Not Months

We built Risk Finder for time-sensitive assessments like this:

  • Deploy via Docker in the target environment—no SaaS, no data egress
  • 150+ classifiers running simultaneously across file shares, cloud storage, databases
  • Results in days — not the weeks or months enterprise platforms need
  • Flat-rate pricing — scanning everything doesn’t blow up your assessment budget

Whether you’re an acquirer protecting your investment or a target demonstrating data maturity, knowing where sensitive data lives is the foundation of modern M&A due diligence.

Start a free trial | See Risk Finder | Contact us for M&A assessments

What you don’t know can kill a deal. Or worse—close one you shouldn’t have. Scan before you sign.

Share:
Back to Blog

Related Posts

View All Posts »

The Bare Minimum Problem

In AT&T's recent $177M breach settlement, 70M people were eligible for up to $5K each. If everyone claimed, the bill would be $350B. Instead, companies bank on low claim rates.

How "Classification Intelligence" enables Risk Management

Organizations face an ever-evolving landscape of cyber threats and regulatory scrutiny. The global average cost of a data breach in 2024 is $4.88M, IBM highlights in the 2024 Cost of Data Breach. Effective and accurate data classification has emerged as a critical strategy for enterprises to manage risks, enhance security posture, and build resilience.

Scan Your Data Before It Enters the LLM

Your LLM is only as clean as your training data. Once PII gets baked into model weights, there is no delete button. Here is how to catch it before that happens.