Today was supposed to be the deadline for Equifax’s free credit freeze offering, but the company has decided to extend the service to consumers for another five months. Now, Equifax customers can request a credit freeze through June 30.
Still, January 31 is the last day to cash in on free credit monitoring through Equifax’s TrustedID Premier program, assuming you still trust the company that failed to protect the personal data of 143 million users enough to rely on it.
Users who freeze their credit report through Equifax should also look into doing so at Experian and TransUnion, the other two major credit bureaus. Choosing to freeze your credit reports is a useful if imperfect tool for anyone concerned that their accounts or identifying information (social security numbers, birth dates, etc.) might be compromised, but it can prevent would-be identity thieves from opening a line of credit or a loan in your name.
Equifax is also introducing a new credit locking service called Lock & Alert, made available today (and free for life) in app form. It may sound redundant, but a lock and a freeze are two different services. As the company explained to CNN Money, a credit freeze can only be lifted with a pin number, while a credit lock uses “modern authentication techniques, such as username and passwords and one time passcodes for better user experience.” The Lock & Alert app is available now through the App Store and through Google Play.
The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.
Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups, with dozens of companies being formed, breaking fundraising records and producing solid exits. The 2017 data also suggest that the Israeli cybersecurity industry is maturing, as we see a shift in funding towards later stage companies.
More Capital, Fewer Startups
In 2017 we witnessed 60 newly founded cybersecurity startups emerge in Israel, a 28% decrease from the 83 companies founded in 2016. Conversely, the average 2017 seed round increased 16% YoY, growing from $2.85 million to $3.3 million. This is Israel’s fourth consecutive year of increasing round sizes at the seed stage – a trend that we are observing and contributing to as we write larger checks to invest in great cybersecurity entrepreneurs.
One might think that the decrease in the number of cybersecurity startups is an alarming signal, warning of an industry in decline. Our view is that this is a positive indicator of a maturing industry. Cybersecurity is a crowded space, in which thousands of companies operate. CISOs are bombarded with dozens of solutions every day, each of which promises to stop the next big attack. Given this dynamic, it is getting harder for “me too” cybersecurity companies to receive funding, as investors are looking for more differentiated and broader solutions that address the increasingly complex needs of customers.
Those who do manage to raise money tend to convey a grander vision, while aiming to build robust products that require more capital. The result is fewer startups being funded by more capital. This is a positive development for the entrepreneurs who want to build sustainable companies, the investors backing those ideas, and the customers who need more sophisticated solutions.
Younger Teams and More Female Founders
The 2017 data show a steep increase in the percentage of female founders. While still a predominantly male field, 15% of newly established cybersecurity teams in 2017 had a female founder, an increase from 5% the previous year.
As in 2016, there was a nearly even split between startups founded by experienced teams (those with more than a decade of executive or entrepreneurial experience) and companies founded by less seasoned entrepreneurs. We did witness a slight increase in teams led by IDF graduates, founders that leverage their relevant military experience to build cybersecurity companies soon after being discharged. One such example is Axonius, which was founded by three graduates of 8200, the IDF’s elite intelligence unit, who are building a visibility and control platform to secure assets on enterprises’ networks.
More Funding, Fewer Rounds
Looking at 2017 Israeli cybersecurity fundraising, we see a familiar trend of fewer companies raising larger amounts of capital. Israeli cybersecurity companies across all stages raised over $847 million this year, representing a 23% increase from the $689 million raised in 2016.
Breaking it down further, overall funding in seed and A rounds decreased 14% and 46% respectively, while funding at the later stages has increased significantly, with a 218% increase in B rounds and 165% increase in Growth. In addition, the number of investment rounds in Israeli cybersecurity companies decreased from 72 in 2016 to 63 rounds in 2017.
The decrease in the number of funding rounds and the distribution of capital across stages is in line with a global trend in venture capital funding, as previously reported here in TechCrunch. The volume of venture deals in tech companies has decreased over the last few years. The majority of the decline is explained by a drop in early stage investments, with funding and volume levels in later rounds remaining significant.
This is driven, in part, by VC firms investing in late-stage opportunities and aggressively following-on in companies with the potential to lead their markets. We believe that the same dynamic is present in the Israeli cybersecurity ecosystem, with companies like Deep Instinct, Demisto, PerimeterX, Twistlock, and Karamba Security raising large B rounds, and companies like SentinelOne and Cybereason raising significant amounts of growth capital this year.
2017 Cybersecurity Trends
The most funded cybersecurity fields of 2017 include traditional IT categories like network security, mobile security and vulnerability & risk management. Another prominent category was IoT security which saw investments across all stages, as new companies emerged and mature ones gained momentum.
The proliferation of smart devices into everyday life has sprouted a growing ecosystem of IoT security companies, creating sub categories within the sector, focused on specific use cases like smart home protection, securing connected and autonomous vehicles, and dedicated solutions for medical devices. Medical device protection is a newly emerged category this year, and we have seen several startups, including Medigate, that are focused on helping healthcare organizations secure themselves from the growing number of targeted attacks.
Cybersecurity Exits in 2017
Israeli cybersecurity companies exited for approximately $1.3 billion in 2017 (not including IPOs), with an average exit valuation of $130 million. The average amount of capital raised by 2017 exited cybersecurity companies was just above $17 million, and it took 5.5 years on average for a company to be acquired. Comparing these figures to those of the Israeli enterprise software companies that exited this year, cybersecurity companies performed better in every category – they raised less capital, achieved higher valuations, and exited quicker.
While 2017 certainly saw a healthy M&A exit market, it also worth mentioning that ForeScout went public at over $800 million, a meaningful evidence of the Israeli ecosystem’s ability to produce large standalone cybersecurity companies.
The Continuing Growth of the Israeli Cybersecurity Ecosystem
The global cybersecurity incursions of 2017 illuminate the continuing role that innovation plays in information security and defense. Looking forward to 2018, we believe Israeli startups will continue to leverage the immense pool of local talent to build comprehensive solutions addressing global markets.
As the local industry matures, we anticipate that recent trends will continue in 2018, with fewer startups forming, while large amounts of capital pour into later rounds to fuel growth and expansion.
The continued maturation and evolution of the Israeli cybersecurity startup ecosystem will soon be on full display at Cybertech Israel, the largest annual conference of cyber technologies outside the United States, taking place this January in Tel Aviv.
Disclosure: Yoav Leitersdorf, the founding partner of YL Ventures, contributed to this report.
YL Ventures is an investor in Axonius, Twistlock, Karamba Security, and Medigate.
The UK’s digital minister has said the October 2016 data breach that Uber disclosed this week does affect UK users — though it’s still unclear how many are impacted at this stage.
Making a statement in parliament yesterday, Matt Hancock said:
We are verifying the extent and the amount of information. When we have a sufficient assessment, we will publish the details of the impact on UK citizens, and we plan to do that in a matter of days. As far as we can tell, the hack was not perpetrated in the UK, so our role is to understand how UK citizens are affected. We are working with the Information Commissioner’s Office and the National Cyber Security Centre, and they are talking to the US Federal Trade Commission and others to get to the bottom of things.
At this stage, our initial assessment is that the stolen information is not the sort that would allow direct financial crime, but we are working urgently to verify that further, and we rule nothing out. Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity. If anyone thinks they are a victim, contact the Action Fraud helpline and follow the NCSC guidance on passwords and best practice.
On Tuesday, a year after it had learned about the breach, Uber informed the press that hackers had accessed the personal data of 57 million Uber users and drivers.
It said ~50M Uber riders were affected and around seven million drivers. Data accessed included names, email addresses and phone numbers in the case of Uber users. Some 600,000 US driver’s license numbers were also accessed. Uber has claimed no financial information leaked.
It apparently paid $100,000 to the hackers to delete the data.
Uber also said some of the data involved users of its service outside the US, though it has not yet publicly provided a breakdown of specific affected markets.
“We do not have sufficient confidence in the number that Uber has told us to go public on it,” said Hancock, responding to questions put to him in parliament about the breach, and implying the government believes the figure Uber has provided is too small to be credible.
“We are working with the National Cyber Security Centre and the ICO [UK’s data watchdog] to have more confidence in the figure,” he continued, pointing out that in the case of the recent Equifax breach, which also affected UK users, the “initial figure suggested went up”.
“We want to get to the bottom of it and will publish further details within days, and if required I will be happy to come before the House to take further questions,” he added.
Reached for a response to Hancock’s comments, an Uber spokesperson told us he could not provide any additional information on the breakdown of the breach at this stage.
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details,” he added.
Meanwhile, the European Union’s Article 29 Working Party — aka the influential data agency that’s made up of representatives from all 28 EU Member State’s national data protection bodies — said it has added the Uber data breach to its agenda for its next plenary session, due to take place on November 28 and 29.
A spokeswoman for the group told us: “It is too soon to talk about the possible actions that have to be decided by the group. The enforcement actions are still on the national level until GDPR next May (investigations, sanctions). But the plenary session could decide for example to dedicate a taskforce to coordinate the national initiatives.”
GDPR refers to the incoming General Data Protection Regulation, which comes into force across the EU in May 2018.
The regulation sets a new standard for breach disclosures — of just 72 hours after a company has become aware of an intrusion that has compromised personal data.
The new rules are also backed up by far stiffer penalties for non-compliance, including a fine of 4% of a company’s annual global turnover (or €20M, whichever is greater).
For now though, Uber faces a compliance patchwork of different national rules across any European Union countries impacted by the data breach.
In the UK, Uber could be on the hook for a fine of £500,000 if it’s found to have broken UK data protection law — aka the current maximum the ICO can leverage, ahead of new legislation currently being debated to align UK law with the incoming EU regulation.
Responding to a question on whether he believes Uber has broken current UK law, Hancock said it “would be a matter for the courts” — but added: “I think there is a very high chance that it has.”
He further revealed the government only learned about the breach via the media: “As far as we are aware, the first notification to UK authorities — whether the government, the ICO or the NCSC [National Cyber Security Centre] — was through the media,” he said.
Labour MP Wes Streeting took the opportunity to press Hancock on the government’s response to Transport for London stripping Uber of its license to operate in the city in September — a decision Uber is currently appealing.
“Does he think that a company that covers up the theft of data and pays a ransom to criminal hackers can possibly be considered a fit and proper operator of licensed minicabs in our towns and cities?” Streeting asked the minister, accusing the government of attacking London’s mayor for his support of the Uber ban.
“Given that we now know that Uber plays fast and loose with the personal data of its 57 million customers and drivers, is it not time that the government stopped cosying up to this grubby, unethical company and started standing up for the public interest?”
“Licensing taxi companies and private hire companies is rightly for local authorities. This is a data protection issue, and we are dealing with it with the utmost urgency,” responded Hancock, going on to note that the government is currently legislating for higher fines for data protection failures, in a new Data Protection Bill, as well as pointing to the incoming 72-hour breach disclosure standard which will align UK law with GDPR.
“Delaying notification is unacceptable unless there is a very good reason and is, as I said, an aggravating factor when the Information Commissioner looks into such cases,” he added.
Yesterday the ICO put out a strongly worded statement regarding the Uber breach — saying it “raises huge concerns“, and warning that companies that conceal breaches can “attract higher fines”.
The Uber breach has also renewed calls for the government to rethink its approach to data redress by supporting a provision being added to the Data Protection Bill to allow independent bodies to pursue data redress on behalf of consumers.
Last month UK consumer group Which? called for the government to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action in the wake of a data breach.
However the government has so far opposed any such provision.
“Uber’s data breach — and the fact that it’s been hidden — will worry customers and drivers alike. It’s critical that the company does all that it can to ensure affected people get clear information about what’s happened,” said Which?’s MD of home products and services, Alex Neill, discussing the Uber breach in the Telegraph.
“Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.”
Hancock was also pressed in parliament on whether the government will now commit to reversing its opposition to collective redress — to, as one MP put it, “show that we are on the side of consumers and employers, not huge corporations that are careless with our data”.
He responded by claiming the government had rejected an amendment to include collective redress because it “pushed in the opposite direction” to the “principle” behind the Data Protection Bill which he said aims to “increase the level of consent required and people’s control over their own data”.
But he also noted that the draft bill will be debated in the House of Commons in due course — meaning there’s at least a possibility that Uber’s decision to conceal a massive data breach for so long could end up helping to bolster consumers protections in UK data protection law.
It’s even more likely to play an influential role in determining the outcome of Uber’s appeal against its London license loss.
Eyeing more secure alternatives to social security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon Chief Privacy Officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that social security numbers have got to go.
Rounding out the panel, Entrust Datacard President and CEO Todd Wilkinson offered some context and insight about why the U.S. should indeed move away from social security numbers — a step that the witnesses unanimously agreed was necessary if not wholly sufficient to protect consumers moving forward, in light of the Equifax hack.
“Over 145 million Americans’ insecure identities are now forever at risk, and they have limited ability to protect themselves,” Wilkinson said. “A key question for this committee to consider is: What do we do now given these identities are forever compromised?”
Social security numbers are a privacy nightmare. While a consumer who gets hacked can replace credit card numbers and other account details, a social security number is permanent, linked inexorably to a real identity throughout a person’s lifespan. In the hearing, Wilkinson and many of the Senators present argued that the U.S. needs to move to a dynamic system of personal identity, one designed with digital security in mind — a stark contrast with an inflexible legacy system that dates back to the 1930s.
“Some combination of digital multi-factor authentication… is the right path,” former Equifax CEO Richard Smith said when asked about such a program.
Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.
Members of the Senate committee also advocated for “rigorous” data security rules, expanding FTC authority to enforce them and stiffer penalties to motivate companies to protect consumers proactively.
“The parade of high profile data breaches seems to have no end,” said ranking committee member Bill Nelson. “We can either take action with common sense rules or we can start planning for our next hearing on the issue.”
Last month, White House Cybersecurity Coordinator Rob Joyce made it clear that the Trump administration is also interested in abandoning social security numbers in favor of a more secure, more digital form of identification, stating that the form of ID has “outlived its usefulness.”