The Good, the Bad and the Ugly in Cybersecurity – Week 13

The Good

The trend of “Hacker on Hacker” attacks seems to be continuing with news this week that the notorious criminal forum ‘Carding Mafia’ is the latest to suffer a data breach. Carding Mafia is a haven for those wanting to buy and sell stolen credit cards, with reportedly almost 300,000 registered users.

Data breach expert and creator of the Have I Been Pwned service, Troy Hunt, discovered the breach earlier this week. The exposed data included email and IP addresses, usernames and salted MD5 password hashes, a trove that we are sure will be of great interest to law enforcement agencies.

There’s no indication at this point as to who was behind the attack or what their objective was in leaking the data. According to one report, the data may have been available since late January.

At the time of writing, Carding Mafia appear not to have informed their users, but as news of the leak circulates (happy to help there!), we can only hope that the distrust this should engender in the site’s management may serve to disrupt in some small way the ongoing theft and trade of stolen credit cards.

The Bad

“Sounds like you can crash most OpenSSL servers on the Internet today” is not a phrase you want to hear on a Friday, we know. Alas, that seems to be the case in light of openssl.org patching two bugs yesterday and releasing an advisory warning that both CVE-2021-3449 and CVE-2021-3450 are high severity bugs impacting OpenSSL 1.1.1.

CVE-2021-3449 makes servers with a default OpenSSL configuration vulnerable to a crash and a denial of service attack if sent a maliciously crafted renegotiation ClientHello message.

The silver lining on this particular dark cloud is that neither OpenSSL TLS clients nor OpenSSL 1.0.2 are impacted. Everyone else should upgrade to OpenSSL 1.1.1k before the inevitable flood of bad actors start taking advantage.

CVE-2021-3450 requires a more specific configuration in order to be exploited. An application must have set the X509_V_FLAG-X509_STRICT verification flag along with either not setting a “purpose” for the certificate verification or, for TLS client and server applications, having overridden the default “purpose”. OpenSSL versions 1.1.1h and higher are affected and users are advised to patch to 1.1.1k as a matter of urgency.

The Ugly

As many a security researcher has found out, trying to report a security issue to a company can sometimes lead the reporter into hot water. It’s why there’s a fuzzy but widely-acknowledged playbook for ‘ethical reporting’ that’s intended to protect both reporter and reportee. Unfortunately, it seems that even when both sides apparently play by the ‘rules’, things can still turn ugly. Ethical researcher Rob Dyke this week revealed how one company turned the police on him even after thanking him for his report.

Dyke informed Apperta Foundation that they had left passwords, API keys and financial records openly exposed on a Github repository since at least 2019. After being thanked by the company for his report, Dyke next received a letter from their lawyers about his “unlawful” actions, followed up this week with a message from a police investigator stating that he’d been reported for a possible offence under the U.K.’s Computer Misuse Act.

It’s unclear what Apperta think Mr Dyke has done wrong at this point, but it may be related to the fact that he made an encrypted copy of the exposed data as part of the disclosure process. Dyke says he had already given assurances that the data would be destroyed.

It seems clear from the undisputed description of Mr Dyke’s actions that this was a genuine ‘ethical disclosure’, and bringing in lawyers and the police appears ‘heavy-handed’ to say the least. If security researchers can’t trust a company to behave ethically when handed a report in good faith, that can only be a bad thing for said company’s long-term cyber security hygiene. Surely both parties would agree that is was better that Mr Dyke discovered (and reported) the exposed data rather than criminals who would immediately seek to profit from it.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

UIPath’s meteoric rise from unknown startup to $35B RPA juggernaut

When TechCrunch covered UIPath’s Series A in 2017, it was a small startup out of Romania working in a little known area of enterprise software called robotic process automation (RPA).

Then the company took off with increasingly large multibillion dollar valuations. It progressed through its investment rounds, culminating with a $750 million round on an eye-popping $35 billion valuation last month.

This morning, the company took the next step on its rapid-fire evolutionary path when it filed its S-1 to go public. To illustrate just how fast the company’s rise has been, take a look at its funding history:

Chart illustrating rapid rise of UIPath through its funding rounds from 2017-2021

Image Credits: Bryce Durbin/TechCrunch

RPA is much better understood these days with larger enterprise software companies like SAP, Microsoft, IBM and ServiceNow getting involved. With RPA, companies can automate a mundane process like processing an insurance claim, moving work automatically, while bringing in humans only when absolutely necessary. For example, instead of having a person enter a number in a spreadsheet from an email, that can happen automatically.

In June 2019, Gartner reported that RPA was the fastest-growing area in enterprise software, growing at over 60% per year, and attracting investors and larger enterprise software vendors to the space. While RPA’s growth has slowed as it matures, a September 2020 Gartner report found it expanding at a more modest 19.5% with total revenue expected to reach $2 billion in 2021. Gartner found that stand-alone RPA vendors UIPath, Blue Prism and Automation Anywhere are the market leaders.

Although the market feels rather small given the size of the company’s valuation, it’s still a nascent space. In its S-1 filing this morning, the company painted a rosy picture, projecting a $60 billion addressable market. While TAM estimates tend to trend large, UIPath points out that the number encompasses far more than pure RPA into what they call “Intelligent Process Automation.” That could include not only RPA, but also process discovery, workflow, no-code development and other forms of automation.

Indeed, as we wrote earlier today on the soaring process automation market, the company is probably going to need to expand into these other areas to really grow, especially now that it’s competing with much bigger companies for enterprise automation dollars.

While UIPath is in the midst of its quiet period, it came up for air this week to announce that it had bought Cloud Elements, a company that gives it access to API integration, an important component of automation in the enterprise. Daniel Dines, the company co-founder and CEO said the acquisition was about building a larger platform of automation tools.

“The acquisition of Cloud Elements is just one example of how we are building a flexible and scalable enterprise-ready platform that helps customers become fully automated enterprises,” he said in a statement.

While there is a lot of CEO speak in that statement, there is also an element of truth in that the company is looking at the larger automation story. It can use some of the cash from its prodigious fundraising to begin expanding on its original vision with smaller acquisitions that can fill in missing pieces in the product road map.

The company will need to do that and more to compete in a rapidly moving market, where many vendors are fighting for different parts of the business. As it continues its journey to becoming a public company, it will need to continue finding new ways to increase revenue by tapping into different parts of the wider automation stack.

Slack wants to be more than a text-based messaging platform

Last October as Slack was preparing for its virtual Frontiers conference, the company began thinking about different ways people could communicate on the platform. While it had built its name on being able to integrate a lot of services in a single place to alleviate the dreaded task-switching phenomenon, it has been largely text-based up until now.

More recently, Slack has started developing a few new features that could bring different ways of interacting to the platform. CEO Stewart Butterfield discussed them on Thursday with former TechCrunch reporter Josh Constine, now a SignalFire investor, in a Clubhouse interview.

The talk was about the future of work, and Slack believes these new ways of communicating could help employees better connect online as we shift to a hybrid work world — one which has been hastened by the pandemic over the last year. There is a general consensus that many companies will continue to work in a hybrid fashion, even when the pandemic is over.

For starters, Slack aims to add a way to communicate by video. But instead of trying to compete with Zoom or Microsoft Teams, Slack is envisioning an experience that’s more like Instagram Stories.

Think about the CEO sharing an important announcement with the company, or the kind of information that might have gone out in a companywide email. Instead, you can skip the inbox and deliver the message directly by video. It’s taking a page from the consumer approach to social and trying to move it into the enterprise.

Writing in a company blog post earlier this week, Slack chief product officer Tamar Yehoshua was clear this was going to be an asynchronous approach, rather than a meeting kind of experience.

“To help with this, we are piloting ways to shift meetings toward an asynchronous video experience that feels native in Slack. It allows us to express nuance and enthusiasm without a meeting,” she wrote.

While it was at it, Slack decided to create a way of just chatting by voice. As Butterfield told Constine in his Clubhouse interview, this is essentially Clubhouse (or Twitter Spaces) being built for Slack.

Yeah, I’ve always believed the ‘good artists copy, great artists steal’ thing, so we’re just building Clubhouse into Slack, essentially. Like that idea that you can drop in, the conversation’s happening whether you’re there or not, you can enter and leave when you want, as opposed to a call that starts and stops, is an amazing model for encouraging that spontaneity and that serendipity and conversations that only need to be three minutes, but the only option for you to schedule them is 30 minutes. So look out for Clubhouse built into Slack.

Again, it’s taking a consumer social idea and applying it to a business setting with the idea of finding other ways to keep you in Slack when you could be using other tools to achieve the same thing, whether it be Zoom meetings, email or your phone.

Butterfield also hinted that another feature — asynchronous audio, allowing you to leave the equivalent of a voicemail — could be coming some time in the future. A Slack spokesperson confirmed that it was in the works, but wasn’t ready to share details yet.

It’s impossible to look at these features without thinking about them in the context of the $27 billion Salesforce acquisition of Slack at the end of last year. When you put them all together, you have this set of tools that let you communicate in whatever way makes the most sense to you.

When you combine that Slack Connect DM, a new feature to communicate outside the organization that was released this week to some controversy, as people wanted assurances that they could control spam and harassment, it takes the concept one step further — outside the organization itself.

As part of a larger entity like Salesforce, these tools could be useful across sales, service and even marketing as a way to communicate in a variety of ways inside and outside the organization. And they greatly expand the value prop of Slack as it becomes part of Salesforce sometime later this year.

While it began talking about the new audio and video features last fall, the company has been piloting them since the beginning of this year. So far Slack is not saying when the new features will be generally available.

No code, workflow, and RPA line up for their automation moment

We’ve seen a lot of trend lines moving throughout 2020 and into 2021 around automation, workflow, robotic process automation (RPA) and the movement to low-code and no-code application building. While all of these technologies can work on their own, they are deeply connected and we are starting to see some movement towards bringing them together.

While the definition of process automation is open to interpretation, and could include things like industrial automation, Statista estimates that the process automation market could be worth $74 billion in 2021. Those are numbers that are going to get the attention of both investors and enterprise software executives.

Just this week, Berlin-based Camunda announced a $98 million Series B to help act as a layer to orchestrate the flow of data between RPA bots, microservices and human employees. Meanwhile UIPath, the pure-play RPA startup that’s going to IPO any minute now, acquired Cloud Elements, giving it a way to move beyond RPA into API automation.

Not enough proof for you? How about ServiceNow announcing this week that it is buying Indian startup Intellibot to give it — you guessed it — RPA capabilities. That acquisition is part of a broader strategy by the company to move into full-scale workflow and automation, which it discussed just a couple of weeks ago.

Meanwhile at the end of last year, SAP bought a different Berlin process automation startup, Signavio, for $1.2 billion after announcing new automated workflow tools and an RPA tool at the beginning of December. Microsoft is in on it too, having acquired process automation startup Softmotive last May, which it then combined with its own automation tool PowerAutomate.

What we have here is a frothy mix of startups and large companies racing to provide a comprehensive spectrum of workflow automation tools to empower companies to spin up workflows quickly and move work involving both human and machine labor through an organization.

The result is hot startups getting prodigious funding, while other startups are exiting via acquisition to these larger companies looking to buy instead of build to gain a quick foothold in this market.

Cathy Tornbohm, Distinguished Research Vice President at Gartner, says part of the reason for the rapidly growing interest is that these companies have stayed on the sidelines up until now, but they see an opportunity and are using their checkbooks to play catch up.

“IBM, SAP, Pega, Appian, Microsoft, ServiceNow all bought into the RPA market because for years they didn’t focus on how data got into their systems when operating between organizations or without a human. [Instead] they focused more on what happens inside the client’s organization. The drive to be digitally more efficient necessitates optimizing data ingestion and data flows,” Tornbohm told me.

For all the bluster from the big vendors, they do not control the pure-play RPA market. In fact, Gartner found that the top three players in this space are UIPath, Automation Anywhere and Blue Prism.

But Tornbohm says that, even as the traditional enterprise vendors try to push their way into the space, these pure-play companies are not sitting still. They are expanding beyond their RPA roots into the broader automation space, which could explain why UIPath came up from its pre-IPO quiet period to make the Cloud Elements announcement this week.

Dharmesh Thakker, managing partner at Battery Ventures, agrees with Tornbohm, saying that the shift to the cloud, accelerated by COVID-19, has led to an expansion of what RPA vendors are doing.

“RPA has traditionally focused on automation-UI flow and user steps, but we believe a full automation suite requires that ability to automate processes across the stack. For larger companies, we see their interest in the category as a way to take action on data within their systems. And for standalone RPA vendors, we see this as validation of the category and an invitation to expand their offerings to other pillars of automation,” Thakker said.

The activity we have seen across the automation and workflow space over the last year could be just the beginning of what Thakker and Tornbohm are describing, as companies of all sizes fight to become the automation stack of choice in the coming years.


Early Stage is the premier ‘how-to’ event for startup entrepreneurs and investors. You’ll hear first-hand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company-building: Fundraising, recruiting, sales, product market fit, PR, marketing and brand building. Each session also has audience participation built-in – there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20 percent off tickets right here.

Ketch raises $23M to automate privacy and data compliance

Ketch, a startup aiming to help businesses navigate the increasingly complex world of online privacy regulation and data compliance, is announcing that it has raised $23 million in Series A funding.

The company is also officially coming out of stealth. I actually wrote about Ketch’s free PrivacyGrader tool last year, but now it’s revealing the broader vision, as well as the products that businesses will actually be paying for.

The startup was founded by CEO Tom Chavez and CTO Vivek Vaidya. The pair previously founded Krux, a data management platform acquired by Salesforce in 2016, and Vaidya told me that Ketch is the answer to a question that they’d begun to ask themselves: “What kind of infrastructure can we build that will make our former selves better?”

Chavez said that Ketch is designed to help businesses automate the process of remaining compliant with data regulations, wherever their visitors and customers are. He suggested that with geographically specific regulations like Europe’s GDPR in place, there’s a temptation to comply globally with the most stringent rules, but that’s not necessary or desirable.

“It’s possible to use data to grow and to comply with the regulations,” Chavez said. “One of our customers turned off digital marketing completely in order to comply. This has got to stop […] They are a very responsible customer, but they didn’t know there are tools to navigate this complexity.”

Ketch orchestration screenshot

Image Credits: Ketch

The pair also suggested that things are even more complex than you might think, because true compliance means going beyond the “Hollywood façade” of a privacy banner — it requires actually implementing a customer’s requests across multiple platforms. For example, Vaidya said that when someone unsubscribes to your email list, there’s “a complex workflow that needs to be executed to ensure that the email is not going to continue … and make sure the customer’s choices are respected in a timely manner.”

After all, Chavez noted, if a customer tells you, “I want to delete my data,” and yet they keep getting marketing emails or targeted ads, they’re not going to be satisfied if you say, “Well, I’ve handled that in the four walls of my own business, that’s an issue with my marketing and email partners.”

Chavez also said that Ketch isn’t designed to replace any of a business’ existing marketing and customer data tools, but rather to “allow our customers to configure how they want to comply vis-à-vis what jurisdiction they’re operating in.” For example, the funding announcement includes a statement from Patreon’s legal counsel Priya Sanger describing Ketch as “an easily configurable consent management and orchestration system that was able to be deployed internationally” that “required minimal engineering time to integrate into our systems.”

As for the Series A, it comes from CRV, super{set} (the startup studio founded by Chavez and Vaidya), Ridge Ventures, Acrew Capital and Silicon Valley Bank. CRV’s Izhar Armony and Acrew’s Theresia Gouw are joining Ketch’s board of directors.

And if you’d like to learn more about the product, Ketch is hosting a webinar at 11am Pacific today.

Salesforce updates includes sales info overlay for Zoom meetings

The pandemic has clearly had an impact on the way we work, and this is especially true for salespeople. Salesforce introduced a number of updates to Sales Cloud this morning, including Salesforce Meetings, a smart overlay for Zoom meetings that gives information and advice to the sales team as they interact with potential customers in online meetings.

Bill Patterson, EVP and general manager of CRM applications at Salesforce says that the company wanted to help sales teams manage these types of interactions better and take advantage of the fact they are digital.

“There’s a broad recognition, not just from Salesforce, but really from every sales organization that selling is forever changed, and I think that there’s been a broad understanding, and maybe a surprise in learning how effective we can be in the from anywhere kind of times, whether that’s in office or not in office or whatever,” Patterson explained.

Salesforce Meetings gives that overlay of information, whether it’s advice to slow down the pace of your speech or information about the person speaking. It also can compile action items and present a To Do list to participants at the end of each meeting to make sure that tasks don’t fall through the cracks.

This is made possible in part through the Einstein intelligence layer that is built across the entire Salesforce platform. In this case, it takes advantage of a new tool called Einstein Conversation Insights, which the company is also exposing as a feature for developers to build their own solutions using this tool.

For sales people who might find the tool a bit too invasive, you can dial the confidence level of the information up or down on an individual basis, so that you can get a lot of information or a little depending on your needs.

For now, it works with Zoom and the company has been working closely with the Zoom development team to provide the API and SDK tooling it needs to pull off something like this, according to Patterson. He notes that plans are in the works to make it compatible with WebEx and Microsoft Teams in the future.

While the idea was in the works prior to the pandemic, COVID created a sense of urgency for this kind of feature, as well as other features announced today like Pipeline Inspection, which uses AI to analyze the sales pipeline. It searches for changes to deals over time with the goal of finding the ones that could benefit most from coaching or managerial support to get them over the finish line.

Brent Leary, founder and principal analyst at CRM Essentials says that this ability to capture information in online meetings is changing the way we think about CRM.

“The thing the caught my attention is how tightly integrated video meetings/collaboration is now into sales process. This is really compelling because meeting interactions that may not find their way into the CRM system are now automatically captured,” Leary told me.

Salesforce Meetings is available today, while Pipeline Inspection is expected to be available this summer.

Why Adam Selipsky was the logical choice to run AWS

When AWS CEO Andy Jassy announced in an email to employees yesterday that Tableau CEO Adam Selipsky was returning to run AWS, it was probably not the choice most considered. But to the industry watchers we spoke to over the last couple of days, it was a move that made absolute sense once you thought about it.

Gartner analyst Ed Anderson says that the cultural fit was probably too good for Jassy to pass up. Selipsky spent 11 years helping build the division. It was someone he knew well and had worked side by side with for over a decade. He could slide into the new role and be trusted to continue building the lucrative division.

Anderson says that even though the size and scope of AWS has changed dramatically since Selipsky left in 2016 when the company closed the year on a $16 billion run rate, he says that the organization’s cultural dynamics haven’t changed all that much.

“Success in this role requires a deep understanding of the Amazon/AWS culture in addition to a vision for AWS’s future growth. Adam already knows the AWS culture from his previous time at AWS. Yes, AWS was a smaller business when he left, but the fundamental structure and strategy was in place and the culture hasn’t notably evolved since then,” Anderson told me.

Matt McIlwain, managing director at Madrona Venture Group, says the experience Selipsky had after he left AWS will prove invaluable when he returns.

“Adam transformed Tableau from a desktop, licensed software company to a cloud, subscription software company that thrived. As the leader of AWS, Adam is returning to a culture he helped grow as the sales and marketing leader that brought AWS to prominence and broke through from startup customers to become the leading enterprise solution for public cloud,” he said.

Holger Mueller, an analyst with Constellation Research, says that Selipsky’s business experience gave him the edge over other candidates. “His business acumen won out over [internal candidates] Matt Garmin and Peter DeSantis. Insight on how Salesforce works may be helpful and valued as well,” Mueller pointed out.

As for leaving Tableau and with it Salesforce, the company that purchased it for $15.7 billion in 2019, Brent Leary, founder and principal analyst at CRM Essentials, believes that it was only a matter of time before some of these acquired company CEOs left to do other things. In fact, he’s surprised it didn’t happen sooner.

“Given Salesforce’s growing stable of top notch CEOs accumulated by way of a slew of high-profile acquisitions, you really can’t expect them all to stay forever, and given Adam Selipsky’s tenure at AWS before becoming Tableau’s CEO, this move makes a whole lot of sense. Amazon brings back one of their own, and he is also a wildly successful CEO in his own right,” Leary said.

While the consensus is that Selipsky is a good choice, he is going to have awfully big shoes to fill. The fact is that division is continuing to grow like a large company currently on a run rate of over $50 billion. With a track record like that to follow, and Jassy still close at hand, Selipsky has to simply continue letting the unit do its thing while putting his own unique stamp on it.

Any kind of change is disconcerting though, and it will be up to him to put customers and employees at ease and plow ahead into the future. Same mission. New boss.

OneTrust adds ethics to its privacy platform with Convercent acquisition

OneTrust, a late stage privacy platform startup, announced it was adding ethics and compliance to the mix this morning by acquiring Convercent, a company that was built to help build more ethical organizations. The companies did not share the purchase price.

OneTrust just raised $300 million on a fat $5.1 billion valuation at the end of last year, and it’s putting that money to work with this acquisition. Alan Dabbiere, co-chairman at OneTrust sees this acquisition as a way to add a missing component to his company’s growing platform of services.

“Integrating Convercent instantly brings a proven ethics and compliance technology, team, and customer base into the OneTrust, further aligning the Chief Ethics & Compliance Officer strategy alongside privacy, data governance, third-party risk, GRC (governance, risk and compliance), and ESG (environmental, social and governance) to build trust as a competitive advantage,” he said.

Convercent brings 750 customers and 150 employees to the OneTrust team along with its ethics system, which includes a way for employees to report ethical violations to the company and a tool for managing disclosures.

Convercent can also use data to help surface bad behavior before it’s been reported. As CEO Patrick Quinlan explained in a 2018 TechCrunch article:

“Sometimes you have this interactive code of conduct, where there’s a new vice president in a region and suddenly page views on the sexual harassment section of the Code of Conduct have increased 200% in the 90 days after he started. That’s easy, right? There’s a reason that’s happening, and our system will actually tell you what’s happening.”

Quinlan wrote in a company blog post announcing the deal that joining forces with OneTrust will give it the resources to expand its vision.

“As a part of OneTrust, we’ll be combining forces with the leader across privacy, security, data governance, third-party risk, GRC, ESG—and now—ethics and compliance. Our customers will now be able to build centralized programs across these workstreams to make trust a competitive differentiator,” Quinlan wrote.

Convercent was founded in 2012 and has raised over $100 million, according to Pitchbook data. OneTrust was founded in 2016. It has over 8000 customers and 150 employees and has raised $710 million, according to the company.

Tableau CEO Adam Selipsky is returning to AWS to replace Andy Jassy as CEO

When Amazon announced last month that Jeff Bezos was moving into the executive chairman role, and AWS CEO Andy Jassy would be taking over the entire Amazon operation, speculation began about who would replace Jassy.

People considered a number of internal candidates viable, such as Peter DeSantis, vice president of global infrastructure at AWS and Matt Garman, who is vice president of sales and marketing. Not many would have chosen Tableau CEO Adam Selipsky, but sure enough he is returning home to run the division he left in 2016.

In an email to employees, Jassy wasted no time getting to the point that Selipsky was his choice, saying that the former employee helped launch the division when they hired him in 2005, then spent 11 years helping Jassy build the unit before taking the job at Tableau. Through that lens, the choice makes perfect sense.

“Adam brings strong judgment, customer obsession, team building, demand generation, and CEO experience to an already very strong AWS leadership team. And, having been in such a senior role at AWS for 11 years, he knows our culture and business well,” Jassy wrote in the email.

Jassy has run AWS since its earliest days, taking it from humble beginnings as a kind of internal experiment on running a storage web service to building a mega division currently on a $51 billion run rate. It is that juggernaut that will be Selipsky’s to run, but he seems well-suited for the job.

He is a seasoned executive, and while he’s been away from AWS since before it really began to grow into a huge operation, he should still understand the culture well enough to step smoothly into the role.  At the same time, he’s leaving Tableau, a company he helped transform from a desktop software company into one firmly based in the cloud.

Salesforce bought Tableau in June 2019 for a cool $15.7 billion and Selipsky has remained at the helm since then, but perhaps the lure of running AWS was too great and he decided to take the leap to the new job.

When we wrote a story at the end of last year about Salesforce’s deep bench of executive talent, Selipsky was one of the CEOs we pointed at as a possible replacement should CEO and chairman Marc Benioff step down. But with it looking more like president and COO Bret Taylor would be the heir apparent, perhaps Selipsky was ready for a new challenge.

Selipsky will make his return to AWS on May 17th and spend a few weeks with Jassy in a transitional time before taking over the division to run on his own. As Jassy slides into the Amazon CEO role, it’s clear the two will continue to work closely together, just as they did for over a decade.

Feedzai raises $200M at a $1B+ valuation for AI tools to fight financial fraud

On the heels of Jumio announcing a $150 million injection this week to continue building out its AI-based ID verification and anti-money laundering platform, another startup in the space is levelling up. Feedzai, which provides banks, others in the financial sector, and any company managing payments online with AI tools to spot and fight fraud — its cornerstone service involves super quick (3 millisecond) checks happening in the background while transactions are being made — has announced a Series D of $200 million. It said that the new financing is being made at a valuation of over $1 billion.

The round is being led by KKR, with Sapphire Ventures and strategic backer Citi Ventures — both past investors — also participating. Feedzai said it will be using the funds for further R&D and product development, to expand into more markets outside the U.S. — it was originally founded in Portugal but now is based out of San Mateo — and towards business development, specifically via partnerships to integrate and sell its tools.

One of those partners looks to be Citi itself:

“Citi is committed to advancing global payments anchored on transparency, efficiency, and control, and our partnership with Feedzai is allowing us to provide customers with technology that seamlessly balances agility and security,” said Manish Kohli, Global Head of Payments and Receivables, with Citi’s Treasury and Trade Solutions, in a statement.

This latest round comes nearly four years after Feedzai raised its Series C, a $50 million round led by an unnamed investor and with an undisclosed valuation. Sapphire also participated in that round. It has now raised some $182 million to date.

Feedzai’s funding is happening at a time when the need for fraud protection for those managing transactions online has reached a high watermark, leading to a rush of customers for companies in the field.

Feezai says that its customers include 4 of the 5 largest banks in North America, 80% of the world’s Fortune 500 companies, 154 million individual and business taxpayers in the U.S., and has processed $9 billion in online transactions for 2 of the world’s most valuable athletic brands. In total its reach covers some 800 million customers of businesses that use its services.

In addition to Citibank, its customers include Fiserv, Santander, SoFi, and Standard Chartered’s Mox.

While money laundering, fraud and other kinds of illicit financial activity were already problems then, in the interim, the problem has only compounded, not least because of how much activity has shifted online, accelerating especially in the last year of pandemic-driven lockdowns. That’s been exacerbated also by a general rise in cybercrime — of which financial fraud remains the biggest component and motivator.

Within that bigger trend, solutions based on artificial intelligence have really emerged as critical to the task of identifying and fighting those illicit activities. Not only is that because AI solutions are able to make calculations and take actions and simply process more than non-AI based tools, or humans for that matter, but they are then able to go head to head with much of the fraud taking place, which itself is being built out on AI-based platforms and requires more sophistication to identify and combat.

For banking customers, Feedzai’s approach has been disruptive in part because of how it has conceived of the problem: it has built solutions that can be used across different scenarios, making them more powerful since the AI system is subsequently “learning” from more data. This is in contrast to how many financial service providers had conceived and tackled the issue in the past.

“Until now banks have used solutions based on verticals,” Nuno Sebastiao, co-founder and CEO of Feedzai, said in the past to TechCrunch. “The fraud solution you have for an ATM wouldn’t be the same fraud solution you would use for online banking which wouldn’t be the same fraud solution would have for a voice call center.” As these companies have refreshed their systems, many have taken a more agnostic approach like the kind the Feedzai has built.

The scale of the issue is clear, and unfortunately also something many of us have experienced first-hand. Feedzai says its data indicates that the last quarter of 2020 that show consumers saw a 650% increase in account takeover scams, a 600% in impersonation scams, and a 250% increase in online banking fraud attacks versus the first quarter of 2020.  (Those periods are, essentially, before pandemic and during pandemic comparisons.)

“The past 12 months have accelerated the world’s dependency on electronic financial services – from online banking to mobile payments, and in turn have increased fraud and money laundering activity. Our services are in more demand than ever,” said Sebastiao in a statement today.

Indeed, yesterday, when I covered Jumio’s $150 million round, I said I wouldn’t consider its funding to be an outlier (even though Jumio made clear it was the largest funding to date in its space): the fast follow from Feedzai, with an even higher amount of financing, really does underscore the trend at the moment.

In addition to these two, one of Feedzai’s biggest competitors, Kount, was acquired by credit ratings giant Equifax earlier this year for $640 million to move deeper into the space. (And related to that field, in the area of identity management, which goes hand-in-hand with tools for laundering and fraud, Okta acquired Auth0 for $6.5 billion.)

Other big rounds for startups in the wider space have included included ForgeRock ($96 million round), Onfido ($100 million), Payfone ($100 million), ComplyAdvantage ($50 million), Ripjar ($36.8 million) Truework ($30 million), Zeotap ($18 million) and Persona ($17.5 million).

KKR’s involvement in this round is notable as another example of a private equity firm getting in earlier with venture rounds with fast-scaling startups, similar to Great Hill’s investment in Jumio yesterday and a number of other examples. The firm says it’s making this investment out of its Next Generation Technology Growth Fund II, which is focused on making growth equity investment opportunities in the technology space.

“Feedzai offers a powerful solution to one of the biggest challenges we are facing today: financial crime in the digital age. Global commerce depends on future-proof technologies capable of dealing with a rapidly evolving threat landscape. At the same time, consumers rightfully demand a great customer experience, in addition to strong security layers when using banking or payments services,” said Stephen Shanley, Managing Director at KKR, in a statement

“We believe Feedzai’s platform uniquely meets these expectations and more, and we are looking forward to working with Nuno and the rest of the team to expand their offering even further,” added Spencer Chavez, Principal at KKR.