Never Waste a Crisis: TeleMessage & Investor Diligence

Another crisis, another opportunity to learn.

TeleMessage, a Signal-like messaging app designed to preserve messages for archival purposes (archiving being a legal requirement for the U.S. government) was not secure. Turns out they multiple vulnerabilities in their GitHub-public code, including hardcoded secrets (e.g., stuff like passwords written in readable text for those not familiar with the jargon).

So, what is the lesson?

(other than don't hardcode secrets into code, duh) - the lesson is in diligence and M&A integration process. You see, TeleMessage was acquired in February 2024 by local Oregon firm, Smarsh (Smarsh makes archiving technology). The purchase announcement was in 2022. Interestingly, Smarsh also seems to own Entrada, a cybersecurity software vendor.

Cybersecurity Risk in M&A and Due Diligence

This means that over the course of two years, there was various diligence and testing, then an entire integration process of the TeleMessage & Smarsh technologies, and yet STILL no one caught the publication of secrets in the code. This was despite the fact that Smarsh even had another wholly owned subsidiary that makes software marketed as automation for analyzing cybersecurity.  So, if they seemed to have the capability and time, why was such an obvious security vulnerability missed?  Was security a priority?

 Honestly, probably not. And this would not be unusual. So many deals I have reviewed for cybersecurity, data protection, privacy, and data rights where the findings are easily dismissed a “that can be addressed at integration”. Of course, they are also never added to or prioritized in the integration checklists, which are focused almost exclusively on getting the newly acquired product to market. After all, what is the probability that something will go wrong? Combine this Vegas-odds approach to security management with investors, advisors, and business leaders with a combination of immaturity and overconfidence when it comes to managing cybersecurity risks, and the results can be a breach of national security due to a coding error that is easily caught by readily available vulnerability scanners.

Impact

The impact of this misadventure is still playing out and the impact to Smarsh and its shareholders is still unknown. The TeleMessage service was suspended at the time of this writing, and press releases indicated that an external firm was being brought in to manage the “investigation”.  Both of those things are going to have a huge impact on the operational costs of the business. That brings us to the investment risk associated with entities that don’t consider their cybersecurity programs or the scalability of those programs as the company grows.

This isn't particularly difficult - we wrote about this before in our two-part series on Legal Compliance for the AI-Powered Startup (Investor Perspective).  It is often, however, not rewarded when being done - there is no carrot to convince founders to do this work, only the stick that comes with later failure. Luckily, there are those unfortunates enough to provide us with the lessons of consequences. Let's learn from them.

The Lesson

Both founders and investors (at all stages) can learn from the lesson that TeleMessage/Smarsh has provided us here. An easily adoptable technology with exciting market penetration looks like a great opportunity.  And cybersecurity hygiene, data protection, and legal compliance are boring, un-sexy, and lack the sparkle of AI-powered laundry detergent. Where will that investment be, though, if the company lacks a plan – or even the skillset to build a plan – when they are achieving market penetration in highly regulated segments?

If you want to protect your company or your investment and don't know where to start - reach out. Actionable, scalable advice on digital regulatory compliance is what we do best.