Month: December 2022

Data breaches can be extremely harmful to organizations of all shapes and sizes – but it’s how these companies react to the incident that can deal their final blow. While we’ve seen some excellent examples of how companies should respond to data breaches over the past year — kudos to Red Cross and Amnesty for their transparency — 2022 has been a year-long lesson in how not to respond to a data breach.

Here is a look back at this year’s badly handled data breaches:

Nvidia

Chipmaker giant Nvidia confirmed it was investigating a so-called “cyber incident” in February, which it later confirmed was a data extortion event. The company refused to say much else about the incident, and, when pressed by TechCrunch, declined to say how it was compromised, what data was stolen, or how many customers or employees were impacted.

While Nvidia stayed tight-lipped, the now-notorious Lapsus$ gang quickly took responsibility for the breach and claimed it stole one terabyte of information, including “highly confidential” data and proprietary source code. According to data breach monitoring website Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees, including email addresses and Windows password hashes.

DoorDash

In August, DoorDash approached TechCrunch with an offer to exclusively report on a data breach that exposed DoorDash customers’ personal data. Not only is it unusual to be offered news of an undisclosed breach before it’s announced, it was even stranger to have the company decline to answer nearly every question about the news it wanted us to break.

The food delivery giant confirmed to TechCrunch that attackers accessed the names, email addresses, delivery addresses, and phone numbers of DoorDash customers, along with partial payment card information for a smaller subset of users. It also confirmed that for DoorDash delivery drivers, or Dashers, hackers accessed data that “primarily included name and phone number or email address.”

But DoorDash declined to tell TechCrunch how many users were affected by the incident — or even how many users it currently has. DoorDash also said that the breach was caused by a third-party vendor, but declined to name the vendor when asked by TechCrunch, nor would it say when it discovered that it was compromised.

Samsung

Hours before a long July 4 holiday, Samsung quietly dropped notice that its U.S. systems were breached weeks earlier and that hackers had stolen customers’ personal information. In its barebones breach notice, Samsung confirmed unspecified “demographic” data, which likely included customers’ precise geolocation data, browsing and other device data from customers’ Samsung phones and smart TVs, was also taken.

Now at year’s end, Samsung still hasn’t said anything further about its hack. Instead of using the time to draft a blog post that says which, or even how many customers are affected, Samsung used the weeks prior to its disclosure to draw up and push out a new mandatory privacy policy on the very same day of its breach disclosure, allowing Samsung to use customers’ precise geolocation for advertising and marketing.

Because that was Samsung’s priority, obviously.

Revolut

Fintech startup Revolut in September confirmed it was hit by a “highly targeted cyberattack”, and told TechCrunch at the time that an “unauthorized third party” had obtained access to the details of a small percentage (0.16%) of customers “for a short period of time.”

However, Revolut wouldn’t say exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure, the company says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.

The company also declined to say what types of data were accessed. In a message sent to affected customers, the company said that “no card details, PINs or passwords were accessed.” However, Revolut’s data breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses, and phone numbers.

NHS supplier Advanced

Advanced, an IT service provider for the U.K.’s NHS, confirmed in October that attackers stole data from its systems during an August ransomware attack. The incident downed a number of the organization’s services, including its Adastra patient management system, which helps non-emergency call handlers dispatch ambulances and helps doctors access patient records, and Carenotes, which is used by mental health trusts for patient information.

While Advanced shared with TechCrunch that its incident responders — Microsoft and Mandiant — had identified LockBit 3.0 as the malware used in the attack, the company declined to say whether patient data had been accessed. The company admitted that “some data” pertaining to over a dozen NHS trusts was “copied and exfiltrated,” but refused to say how many patients were potentially impacted or what types of data were stolen.

Advanced said there is “no evidence” to suggest that the data in question exists elsewhere outside our control and “the likelihood of harm to individuals is low.” When reached by TechCrunch, Advanced chief operating officer Simon Short declined to say if patient data is affected or whether Advanced has the technical means, such as logs, to detect if data was exfiltrated.

Twilio

In October, U.S. messaging giant Twilio confirmed it was hit by a second breach that saw cybercriminals access customer contact information. News of the breach, which was carried out by the same “0ktapus” hackers that compromised Twilio in August, was buried in an update to a lengthy incident report and contained few details about the nature of the breach and the impact on customers.

Twilio spokesperson Laurelle Remzi declined to confirm the number of customers impacted by the June breach or share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio took four months to publicly disclose the incident.

Rackspace

Enterprise cloud computing giant Rackspace was hit by a ransomware attack on December 2, leaving thousands of customers worldwide without access to their data including archived email, contacts, and calendar items. Rackspace received widespread criticism over its response for saying little about the incident or its efforts to restore the data.

In one of the company’s first updates, published on December 6, Rackspace said that it had not yet determined “what, if any, data was affected,” adding that if sensitive information was affected, it would “notify customers as appropriate.” We’re now at the end of December and customers are in the dark about whether their sensitive information was stolen.

LastPass

And finally, but by no means the least: The beleaguered password manager giant LastPass confirmed three days before Christmas that hackers had stolen the keys to its kingdom and exfiltrated customers’ encrypted password vaults weeks earlier. The breach is about as damaging as it gets for the 33 million customers who use LastPass, whose encrypted password vaults are only as secure as the customer master passwords used to lock them.

But LastPass’ handling of the breach drew a swift rebuke and fierce criticism from the security community, not least because LastPass said that there was no action for customers to take. Yet, based on a parsed read of its data breach notice, LastPass knew that customers’ encrypted password vaults could have been stolen as early as November after the company confirmed its cloud storage was accessed using a set of employee’s cloud storage keys stolen during an earlier breach in August but which the company hadn’t revoked.

The fault and blame is squarely with LastPass for its breach, but its handling was egregiously bad form. Will the company survive? Maybe. But in its atrocious handling of its data breach, LastPass has sealed its reputation.

It’s all in the (lack of) details: 2022’s badly handled data breaches by Carly Page originally published on TechCrunch

2022 was the year that electric vehicles entered the mainstream. Not everyone has one, but buying an EV no longer makes you an outlier. Driven by policy initiatives from governments and billions of dollars in investment from automakers, we can safely say the EV industry has begun to take shape.

Over the next year, that landscape will develop beyond the foundations of 2022. Here are some of our best guesses for what you can expect.

There will be a race to sell U.S.-built EVs in the first quarter

The Inflation Reduction Act, which the Biden administration passed in August, has already had a huge effect on the EV industry as automakers work to onshore their supply chains and factories. But with certain aspects of the IRA’s EV tax credit rules now to be delayed until March 2023, we’re expecting to see EV sales take off in the first quarter of the year.

Under the bill, eligible EVs could qualify for a $7,500 tax credit if they meet the requirements of being built in North America and having sourced critical battery materials from the U.S. or free trade agreement countries. Those rules were meant to go into effect on January 1, 2023, but the Treasury Department has delayed guidance on the critical materials rule until March. And it’s a good thing, too. While automakers in 2022 scrambled to set up factories in the U.S., most critical materials still come from China, so they need time (likely years) to set up new supply chains.

The delay means that a whole host of North American-built cars will now be eligible for the full refund, at least for the first three months of the year. The biggest winners will probably be Tesla and General Motors, whose sales caps under the previous EV tax incentives will be waived in the new year. But others like Ford, Nissan, Rivian and Volkswagen have all got a lineup of NA-built EVs that are ready to reap the benefits.

Even more EV models and sales

Electric vehicle sales in 2022 were pretty much dominated by who you’d expect: Tesla’s Models S, Y and 3, Chevrolet’s Bolt and Ford’s Mustang Mach-E. In the backdrop, nearly every automaker, be they a legacy OEM or a startup, unveiled a slew of impressive EVs for the 2023 market, from the Alfa Romeo Tonale to the Indi One. Most of them were geared towards the luxury consumer, though. In the next year, we’ll seeeven more new models come outthat are priced much more affordably.

In addition, expect the sheer number of new EVs on the market to pick up as new factories come online.McKinsey predicts legacy automakers and EV startups will produce up to 400 new models by 2023.

All the new models coming out will give Tesla a run for its money, predicts Shahar Bin-Nun, CEO of Tactile Mobility, an AV sensor tech company. Bin-Nun says he expected Tesla to still dominate the U.S. EV market in 2023, but that Ford, Hyundai and Kia will follow closely behind as they ramp up their lineups and production capacities.

We can also expect the market for secondhand EVs to creep up in 2023, which will make it much easier for people who are filthy rich to afford a zero-emission vehicle.

The software-defined vehicle will really take hold

Every automaker has been talking about the “software-defined vehicle” throughout 2022 as a concept that’s inherently linked to the electric vehicle. In 2023, we’ll really get a chance to see what that means.

General Motors, for example, will launch Ultifi early next year, its end-to-end vehicle software platform that promises OTA software updates, cloud connectivity and vehicle-to-everything communication. Ultifi will be the place where drivers can purchase apps, services and features – it’s an example of how automakers are increasingly trying to personalize vehicles to the individual’s needs.

This personalization will likely lead to an increase in subscription-based services in the car, says Will White, co-founder of Mapbox, a provider of online maps.

“We’ll also continue to see high demand for convenience-based services like in-car payments, where consumers will have a credit card on file in their app that pays for everything automotive-related,” said White.

On the backend, the software-defined vehicle will also dance with the metaverse. In 2022, a range of automakers, including Jaguar Land Rover, Nio, Polestar, Volvo and XPeng, announced plans to build software-defined vehicles on Nvidia’s Drive Orin system-on-a-chip. Automakers will in 2023 also rely on Nvidia’s recently upgraded its Omniverse platform, which stands to revolutionize everything from designing vehicles to the automotive product cycle. Using tech like this, automakers will increasingly build digital twins of both their vehicles and their production facilities in order to simulate anything from software upgrades within the vehicle to crash tests to factory efficiencies.

I guess we have to get used to saying Level 2+ ADAS

While we’re on the subject of software, automakers in 2023 will put much more investment into launching Level 2+ and Level 3 autonomous systems, which are basically really good advanced driver assistance systems. White says these systems will be a commonplace expectation in high-trim models.

Tesla will of course continue adding new features to its Autopilot and so-called “Full Self-Driving” softwares. But other automakers will come out with their own brands of impressive tech that will take care of more and more automated driving tasks.

Earlier this year, autonomous vehicle company Argo AI shutdown after Ford and Volkswagen pulled their investments. The IP was pretty much split between the two automakers, both of which said they were committed to pursuing near-term gains like L2+ and L3 systems. Rivian founder RJ Scaringe also said his company will focus on getting its own ADAS right.

Meanwhile in China, XPeng is rolling out the G9 SUV with its XNGP software, which the company describes as a “full scenario” ADAS that promises to automate highway driving, city driving and parking tasks.

More investment into getting charging right

J.D. Power analysts are expecting the market share of EVs in the U.S. to reach 12% next year, which is up from 7% today. If narrowing the scope to consumers that actually have access to EVs, that market share actually looks more like 20%.

Whatever the number, the fact remains that we’ll be seeing millions more EVs hit the streets in the U.S. next year. That means all of the ancillary services needed to keep them running will need to step up.

In 2023, we can expect to see investment – from government, utility and private firms – into charging infrastructure, energy storage and energy transmission.

Ensuring the EV transition is a smooth one isn’t just about building more EV chargers, although we grant, that’s a really important piece. Maintaining chargers will also be prioritized next year. A separate J.D. Power study earlier this year found that not only is availability of public charging still an obstacle, but often when you do find a charger, it’s broken. We predict there’ll be some tech, either from upstarts or existing EV charge players, that helps manage maintenance, servicing and upgrades for chargers.

In that same vein, all throughout 2022, every few months we stumble across some startup or utility company crying out that the electrical grid will never be able to handle all of the electric vehicles we’ll see in 2023. They’re probably right. So alongside energy management infrastructure, we expect to see more vehicle-to-grid software.

There were a few pilots in 2022, many of which were focused on V2G technology at home. Ford’s F-150 Lightning pickup truck is among a few vehicles that have promised to be able to power your home in the event of an outage. But we think as more fleets go electric, we’ll start to see those pilots happening in commercial settings at a wider scale.

The rise of EV fleets

We already saw many fleet operators begin to adopt EVs in 2022, as they aim to reach whatever carbon emissions goals they’ve set for themselves. Hertz, for example, plans to buy 65,000 Polestar vehicles, 100,000 Teslas and 175,000 General Motors vehicles over the next couple years to reach its goal of having 25% of its fleet electric by the end of 2024.

In 2023, those purchases will only ramp up, particularly as commercial EV makers get their production lines up and running.

GM’s BrightDrop, for example, has recently launched its CAMI Assembly plant in Ontario, which is expected to produce 50,000 of its Zevo delivery vans by 2025. BrightDrop has already secured over 25,000 reservations from customers like DHL and FedEx that are working towards net-zero goals.

Another commercial EV company Canoo plans to buy a vehicle manufacturing facility in Oklahoma City in order to ramp production of its Lifestyle Delivery Vehicle and bring those EVs to market next year for committed customers like NASA and Walmart.

An EV-plosion awaits in 2023, and it’ll be packed with tech by Rebecca Bellan originally published on TechCrunch

Research firm Fairwork India blasted Ola, Uber, Dunzo, PharmEasy and Amazon Flex in a report Tuesday, saying the firms scored zero in its assessment of whether they created fair conditions for their gig workers.

The research project, which collaborated with partners at the University of Oxford, said the aforementioned firms did not provide fair pay, fair contracts, fair management, fair representation or fair working conditions to their gig workers.

The firm studied 12 firms and granted unicorn Urban Company a score of seven out of 10, six to online grocer Bigbasket, five each to Flipkart and Swiggy, four to Zomato, two to grocery delivery firm Zepto and one to Tiger Global-backed delivery firm Porter.

“This year, only Bigbasket, Flipkart and Urban Company were awarded the first point because of the public commitments they have made to paying workers at least the hourly local minimum wage after factoring in work-related costs,” Fairwork India said in its fourth annual report.

“Bigbasket and Urban Company have operationalised this by committing to reimburse the difference between worker’s earnings per hour and the hourly local minimum wage after costs. Flipkart and Urban Company have committed to basing their pricing structure for workers on the hourly local minimum wage after costs. Flipkart has also undertaken steps to hold its third party service providers to the same commitment,” the report added.

Gig economy workers, whose participation to the workforce has significantly increased in recent years, aren’t extended the vast amount of employee benefits such as health insurance. Many researchers say the firms taking service from these workers are exploiting them and limiting corporate liabilities.

“The promise of flexibility of the digital platform economy raises as many questions about livelihoods as it offers opportunities. We hope the Fairwork report provides the basis for an interpretation of flexibility that allows for not merely the adaptability that platforms seek, but also the income and social security that workers lack,” said Professors Balaji Parthasarathy and Janaki Srinivasan, the principal investigators of the team, in a statement.

You can read the full-report here (PDF).

Uber and Amazon blasted for poor working conditions for gig workers in India by Manish Singh originally published on TechCrunch

Early indications show funding to digital health startups in Q4 2022 fell so much, they’re close to levels last seen in 2019.

But the dollar amounts don’t tell the whole story. How you grow as a digital healthcare company is just as important as if you grow at all.

A company built for the long term should have clinical experts as part of its leadership to ensure that care is always based on the patient’s medical needs as well as maintain quality control.

Here’s a framework that digital health startups can consider:

Bring clinicians into senior leadership

The best-case scenario for a digital health startup is to bring on a clinician as a co-founder.

I speak from experience. My co-founder is a triple-board-certified psychiatrist who brings clinical expertise to everything she does. From evaluating product roadmap decisions with our technology department to strategy discussions at board meetings and managing our entire clinical team, her contributions are vital to the health and direction of the company.

Outside the C-suite, hiring clinicians as senior leaders with responsibilities beyond clinical practice is invaluable. The key is to ensure clinicians know they will report to another clinician, not a non-clinical executive.

Non-clinical leaders, including founders and non-clinical C-suite executives, should practice what they preach. They should consistently loop in their clinical partners for business discussions even if they don’t have an obvious clinical impact.

The main benefits of taking this approach include:

The clinical and non-clinical partnership is more active from the jump;
Other team members and clinical staff will see and respect the inclusion;
Clinicians may uncover something that has an indirect but important clinical impact.

Beyond hiring clinicians in-house, startups should consider inviting clinicians to join their board of directors. Their presence on the board helps guide a company towards becoming an ethical and sustainable medical practice focused on helping patients rather than a technology company operating at the expense of patients.

This dedication to patient outcomes is a differentiator and should be reflected at every working level of a digital health startup.

Celebrate providers’ dedication

Dedicating resources and space to full-time providers allows them to focus more on patient care — the reason they got into medicine.

Digital health startups can incorporate clinical expertise into business models – here’s how by Ram Iyer originally published on TechCrunch