spokesperson

Auto Added by WPeMatico

DigitalOcean says customer billing data accessed in data breach

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Companies with customers in Europe are subject to GDPR and can face fines of up to 4% of their global annual revenue.

Last year, the cloud company raised $100 million in new debt, followed by another $50 million round, months after laying off dozens of staff amid concerns about the company’s financial health. In March, the company went public, raising about $775 million in its initial public offering. 

Powered by WPeMatico

T-Mobile says hackers accessed some customer call records in data breach

T-Mobile, the third largest cell carrier in the U.S. after completing its recent $26 billion merger with Sprint, ended 2020 by announcing its second data breach of the year.

The cell giant said in a notice buried on its website that it recently discovered unauthorized access to some customers’ account information, including the data that T-Mobile makes and collects on its customers in order to provide cell service.

From the notice: “Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

Known as customer proprietary network information (CPNI), this data can include call records — such as when a call was made, for how long, the caller’s phone number and the destination phone numbers for each call, and other information that might be found on the customer’s bill.

But the company said that the hackers did not access names, home or email addresses, financial data, and account passwords (or PINs).

The notice didn’t say when T-Mobile detected the breach, only that it was now notifying affected customers.

A spokesperson for T-Mobile did not respond to requests for comment, but told one news site that the breach affects about 0.2% of all T-Mobile customers — or approximately 200,000 customers.

It’s the latest security incident to hit the cell giant in recent years.

In 2018, T-Mobile said as many as two million customers may have had their personal information scraped. A year later, the company confirmed hackers accessed records on another million prepaid customers. Just months into 2020, T-Mobile admitted a breach on its email systems that saw hackers access some T-Mobile employee email accounts, exposing some customer data.

Powered by WPeMatico

WeWork employees used an alarmingly insecure printer password

A shared user account used by WeWork employees to access printer settings and print jobs had an incredibly simple password — so simple that a customer guessed it.

Jake Elsley, who works at a WeWork in London, said he found the user account after a WeWork employee at his location mistakenly left the account logged in.

WeWork customers like Elsley normally have an assigned seven-digit username and a four-digit passcode used for printing documents at WeWork locations. But the username for the account used by WeWork employees was just four-digits: “9999”. Elsley told TechCrunch that he guessed the password because it was the same as the username. (“9999” is ranked as one of the most common passwords in use today, making it highly insecure.)

The “9999” account is used by and shared among WeWork community managers, who oversee day-to-day operations at each location, to print documents for visitors who don’t have accounts to print on their own. The account cannot be used to access print jobs sent to other customer accounts.

Elsley said that the “9999” account could not see the contents of documents beyond file names, but that logging in to the WeWork printing web portal could allow him to release other people’s pending print jobs sent to the “9999” account to any other WeWork printer on the network.

The printing web portal can only be accessed on WeWork’s Wi-Fi networks, said Elsley, but that includes the free guest Wi-Fi network which doesn’t have a password, and WeWork’s main Wi-Fi network, which still uses a password that has been widely circulated on the internet.

Elsley reached out to TechCrunch to ask us to alert the company to the insecure password.

“WeWork is committed to protecting the privacy and security of our members and employees,” said WeWork spokesperson Colin Hart. “We immediately initiated an investigation into this potential issue and took steps to address any concerns. We are also nearing the end of a multi-month process of upgrading all of our printing capabilities to a best in class security and experience solution. We expect this process to be completed in the coming weeks.”

WeWork confirmed that it had since changed the password on the “9999” user account.

Powered by WPeMatico

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

Powered by WPeMatico

Google launches the final beta of Android 11

With the launch of Android 11 getting closer, Google today launched the third and final beta of its mobile operating system ahead of its general availability. Google had previously delayed the beta program by about a month because of the coronavirus pandemic.

Image Credits: Google

Since Android 11 had already reached platform stability with Beta 2, most of the changes here are fixes and optimizations. As a Google spokesperson noted, “this beta is focused on helping developers put the finishing touches on their apps as they prepare for Android 11, including the official API 30 SDK and build tools for Android Studio.”

The one exception is some updates to the Exposure Notification System contact-tracing API, which users can now use without turning on device location settings. Exposure Notification is an exception here, as all other Android apps need to have location settings on (and user permission to access it) to perform the kind of Bluetooth scanning Google is using for this API.

Otherwise, there are no surprises here, given that this has already been a pretty lengthy preview cycle. Mostly, Google really wants developers to make sure their apps are ready for the new version, which includes quite a few changes.

If you are brave enough, you can get the latest beta over the air as part of the Android Beta program. It’s available for Pixel 2, 3, 3a, 4 and (soon) 4a users.

Powered by WPeMatico

UK eyeing switch to Apple-Google API for coronavirus contacts tracing — report

The UK may be rethinking its decision to shun Apple and Google’s API for its national coronavirus contacts tracing app, according to the Financial Times, which reported yesterday that the government is paying an IT supplier to investigate whether it can integrate the tech giants’ approach after all.

As we’ve reported before coronavirus contacts tracing apps are a new technology which aims to repurpose smartphones’ Bluetooth signals and device proximity to try to estimate individuals’ infection risk.

The UK’s forthcoming app, called NHS COVID-19, has faced controversy because it’s being designed to use a centralized app architecture. This means developers are having to come up with workarounds for platform limitations on background access to Bluetooth as the Apple-Google cross-platform API only works with decentralized systems.

The choice of a centralized app architecture has also raised concerns about the impact of such an unprecedented state data grab on citizens’ privacy and human rights, and the risk of state ‘mission creep‘.

The UK also looks increasingly isolated in its choice in Europe after the German government opted to switch to a decentralized model, joining several other European countries that have said they will opt for a p2p approach, including Estonia, Ireland and Switzerland.

In the region, France remains the other major backer of a centralized system for its forthcoming coronavirus contacts tracing app, StopCovid.

Apple and Google, meanwhile, are collaborating on a so-called “exposure notification” API for national coronavirus contacts tracing apps. The API is slated to launch this month and is designed to remove restrictions that could interfere with how contact events are logged. However it’s only available for apps that don’t hold users’ personal data on central servers and prohibits location tracking, with the pair emphasizing that their system is designed to put privacy at the core.

Yesterday the FT reported that NHSX, the digital transformation branch of UK’s National Health Service, has awarded a £3.8M contract to the London office of Zuhlke Engineering, a Switzerland-based IT development firm which was involved in developing the initial version of the NHS COVID-19 app.

The contract includes a requirement to “investigate the complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs within the existing proximity mobile application and platform”, per the newspaper’s report.

The work is also described as a “two week timeboxed technical spike”, which the FT suggests means it’s still at a preliminary phase — thought it also notes the contract includes a deadline of mid-May.

The contracted work was due to begin yesterday, per the report.

We’ve reached out to Zuhlke for comment. Its website describes the company as “a strong solutions partner” that’s focused on projects related to digital product delivery; cloud migration; scaling digital platforms; and the Internet of Things.

We also put questions arising from the FT report to NHSX.

At the time of writing the unit had not responded but yesterday a spokesperson told the newspaper: “We’ve been working with Apple and Google throughout the app’s development and it’s quite right and normal to continue to refine the app.”

The specific technical issue that appears to be causing concern relates to a workaround the developers have devised to try to circumvent platform limitations on Bluetooth that’s intended to wake up phones when the app itself is not being actively used in order that the proximity handshakes can still be carried out (and contacts events properly logged).

Thing is, if any of the devices fail to wake up and emit their identifiers so other nearby devices can log their presence there will be gaps in the data. Which, in plainer language, means the app might miss some close encounters between users — and therefore fail to notify some people of potential infection risk.

Recent reports have suggested the NHSX workaround has a particular problem with iPhones not being able to wake up other iPhones. And while Google’s Android OS is the more dominant platform in the UK (running on circa ~60% of smartphones, per Kantar) there will still be plenty of instances of two or more iPhone users passing near each other. So if their apps fail to wake up they won’t exchange data and those encounters won’t be logged.

On this, the FT quotes one person familiar with the NHS testing process who told it the app was able to work in the background in most cases, except when two iPhones were locked and left unused for around 30 minutes, and without any Android devices coming within 60m of the devices. The source also told it that bringing an Android device running the app close to the iPhone would “wake up” its Bluetooth connection.

Clearly, the government having to tell everyone in the UK to use an Android smartphone not an iPhone wouldn’t be a particularly palatable political message.

This is effectively a form of Android Herd Immunity: for the good of Britain, vaccinate your friends by giving them Androids!

— Michael Veale (@mikarv) May 5, 2020

One source with information about the NHSX testing process told us the unit has this week been asking IT suppliers for facilities or input on testing environments with “50-100 Bluetooth devices of mixed origin”, to help with challenges in testing the Bluetooth exchanges — which raises questions about how extensively this core functionality has been tested up to now. (Again, we’ve put questions to the NHSX about testing and will update this report with any response.)

Work on planning and developing the NHS COVID-19 app began March 7, according to evidence given to a UK parliamentary committee by the NHSX CEO’s, Matthew Gould, last month.

Gould has also previously suggested that the app could be “technically” ready to launch in as little as two or three weeks time from now. While a limited geographical trial of the app kicked off this week in the Isle of Wight. Prior to that, an alpha version of the app was tested at an RAF base involving staff carrying out simulations of people going shopping, per a BBC report last month.

Gould faced questions over the choice of centralized vs decentralized app architecture from the human rights committee earlier this week. He suggested then that the government is not “locked” to the choice — telling the committee: “We are constantly reassessing which approach is the right one — and if it becomes clear that the balance of advantage lies in a different approach then we will take that different approach. We’re not irredeemably wedded to one approach; if we need to shift then we will… It’s a very pragmatic decision about what approach is likely to get the results that we need to get.”

However it’s unclear how quickly such a major change to app architecture could be implemented, given centralized vs decentralized systems work in very different ways.

Additionally, such a big shift — more than two months into the NHSX’s project — seems, at such a late stage, as if it would be more closely characterized as a rebuild, rather than a little finessing (as suggested by the NHSX spokesperson’s remark to the FT vis-a-vis ‘refining’ the app).

In related news today, Reuters reports that Colombia has pulled its own coronavirus contacts tracing app after experiencing glitches and inaccuracies. The app had used alternative technology to power contacts logging via Bluetooth and wi-fi. A government official told the news agency it aims to rebuild the system and may now use the Apple-Google API.

Australia has also reported Bluetooth related problems with its national coronavirus app. And has also been reported to be moving towards adopting the Apple-Google API.

While, Singapore, the first country to launch a Bluetooth app for coronavirus contacts tracing, was also the first to run into technical hitches related to platform limits on background access — likely contributing to low download rates for the app (reportedly below 20%).

Powered by WPeMatico

Layoffs at Lime and Getaround herald rise of profit-hungry unicorns

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

A million dollars isn’t cool. You know what’s cool? Positive adjusted EBITDA, or something close to it.

That’s the message from scooter unicorn Lime, which announced this week that it was cutting about 14% of its staff and closing a dozen markets. The staff reductions, numbering about 100, come as the company has touted efforts to improve its profitability — going as far as setting targets for when it might reach capital freedom, as well as highlighting the matter in a recent corporate blog post.

(Bird, a Lime competitor, also underwent layoffs this year.)

What’s going on? Unicorns, once hungry for growth, are now hell-bent to show current (and future) investors that their businesses aren’t unprofitable quagmires. Profitability, or movement towards it, is hot, and Lime is a good example of the trend — as is Getaround, which also wrote about its own layoffs this week. Let’s dig in.

Powered by WPeMatico

‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing anyone to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.

A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.

Powered by WPeMatico

Bird’s chief legal & policy officer is leaving the company

Bird, the $2.5 billion electric scooter business, is losing its chief legal and policy officer. David Estrada, who was hired last year from Kitty Hawk, is joining another mobility company, SoftBank-backed Nuro.

A spokesperson for Bird tells TechCrunch Estrada is leaving the Santa Monica-based company to be closer to his family. Nuro, for its part, is based in Mountain View, CA.

davidestrada

Bird’s former chief legal officer, David Estrada.

Estrada, who previously oversaw public policy at the electric aircraft company Kitty Hawk as its chief legal officer, has been responsible for Bird’s compliance and government relations efforts as the company scaled to over 100 global cities. Prior to joining Kitty Hawk, Estrada spent nearly two years as Lyft’s vice president of government relations and worked as the legal director for Google X, partnering with states on legislation around autonomous vehicles, Google Glass and drone delivery.

Nuro, founded in June 2016, has emerged as a key player in the rapidly-expanding autonomous delivery sector. The company has attracted a whopping $1.03 billion in venture capital funding to date, according to Pitchbook. SoftBank funneled an astounding $940 million into the business earlier this year at an undisclosed valuation. In addition to SoftBank, Nuro is backed by Greylock and the Chinese venture capital firm Gaorong Capital.

The company has been developing a self-driving stack and combining it with a custom unmanned vehicle designed for last-mile delivery of local goods and services. It began piloting grocery delivery in 2018 in the Phoenix suburb of Scottsdale.

Bird has overcome a number of unique hurdles with many more afoot, including pushback from local governments who were aggravated by the sudden appearance of hundreds of scooters. At Nuro, Estrada will have the opportunity to focus on the future of unmanned delivery, another sector faced with regulatory challenges and political barriers.

Powered by WPeMatico

Africa’s top mobile phone seller Transsion to list in Chinese IPO

Chinese mobile-phone and device maker Transsion will list in an IPO on Shanghai’s STAR Market, Transsion confirmed to TechCrunch.

The company — which has a robust Africa sales network — could raise up to 3 billion yuan (or $426 million).

“The company’s listing-related work is running smoothly. The registration application and issuance process is still underway, with the specific timetable yet to be confirmed by the CSRC and Shanghai Stock Exchange,” a spokesperson for Transsion’s Office of the Secretary to the Chairman told TechCrunch via email.

Transsion’s IPO prospectus is downloadable (in Chinese) and its STAR Market listing application available on the Shanghai Stock Exchange’s website.

STAR is the Shanghai Stock Exchange’s new Nasdaq-style board for tech stocks that also went live in July with some 25 companies going public. 

Headquartered in Shenzhen — where African e-commerce unicorn Jumia also has a logistics supply-chain facility — Transsion is a top-seller of smartphones in Africa under its Tecno brand.

The company has a manufacturing facility in Ethiopia and recently expanded its presence in India.

Transsion plans to spend the bulk of its STAR Market raise (1.6 billion yuan or $227 million) on building more phone assembly hubs and around 430 million yuan ($62 million) on research and development, including a mobile phone R&D center in Shanghai, a company spokesperson said. 

Transsion recently announced a larger commitment to capturing market share in India, including building an industrial park in the country for manufacture of phones to Africa.

The IPO comes after Transsion announced its intent to go public and filed its first docs with the Shanghai Stock Exchange in April. 

Listing on the STAR Market will put Transsion on the freshly minted exchange seen as an extension of Beijing’s ambition to become a hub for high-potential tech startups to raise public capital. Chinese regulators lowered profitability requirements for the exchange, which means pre-profit ventures can list.

Transsion’s IPO process comes when the company is actually in the black. The firm generated 22.6 billion yuan ($3.29 billion) in revenue in 2018, up from 20 billion yuan a year earlier. Net profit for the year slid to 654 million yuan, down from 677 million yuan in 2017, according to the firm’s prospectus.

Transsion sold 124 million phones globally in 2018, per company data. In Africa, Transsion holds 54% of the feature phone market — through its brands Tecno, Infinix and Itel — and in smartphone sales is second to Samsung and before Huawei, according to International Data Corporation stats.

Transsion has R&D centers in Nigeria and Kenya and its sales network in Africa includes retail shops in Nigeria, Kenya, Tanzania, Ethiopia and Egypt. The company also attracted attention for being one of the first known device makers to optimize its camera phones for African complexions.

On a recent research trip to Addis Ababa, TechCrunch learned the top entry-level Tecno smartphone was the W3, which lists for 3,600 Ethiopian Birr, or roughly $125.

In Africa, Transsion’s ability to build market share and find a sweet spot with consumers on price and features gives it prominence in the continent’s booming tech scene.

Africa already has strong mobile-phone penetration, but continues to undergo a conversion from basic USSD phones, to feature phones, to smartphones.

Smartphone adoption on the continent is low, at 34%, but expected to grow to 67% by 2025, according to GSMA.

This, added to an improving internet profile, is key to Africa’s tech scene. In top markets for VC and startup origination — such as Nigeria, Kenya, and South Africa — thousands of ventures are building business models around mobile-based products and digital applications.

If Transsion’s IPO enables higher smartphone conversion on the continent, that could enable more startups and startup opportunities — from fintech to VOD apps.

Another interesting facet to Transsion’s IPO is its potential to create greater influence from China in African tech, in particular if the Shenzhen company moves strongly toward venture investing.

China’s engagement with African startups has been light compared to China’s deal-making on infrastructure and commodities — further boosted in recent years as Beijing pushes its Belt and Road plan.

Transsion’s IPO move is the second recent event — after Chinese owned Opera’s big venture spending in Nigeria — to reflect greater Chinese influence and investment in the continent’s digital scene.

So in coming years, China could be less known for building roads and bridges in Africa and more for selling smartphones and providing VC for African startups.

Powered by WPeMatico