Security

Ring launches pilot program to let local agencies share updates and ‘safety information’ • ZebethMedia

By zebethcontrolPosted on November 15, 2022Posted in Amazon, Apps, government, neighbors, pilot, Ring, Safety, Security, StartupsNo Comments

Ring today announced that local government agencies will be able to have an official presence on the company’s Neighbors app. Beginning with the City of North Port and Pinellas County Government in Florida and the City of Fulton in New York, the new program will allow government organizations to provide safety information through Neighbors, the Amazon-owned company’s neighborhood watch feature that alerts users to nearby alleged crimes and events. “Local government agencies, such as county and municipality governments and their departments, play an important role in public safety,” Ring wrote in a blog post published this afternoon. “This pilot program will enable users in select municipalities to receive more safety information, updates and tips from a broader group of local agencies, all in one place.” Participating local government agencies will have public profiles in Neighbors that users can visit to see their activity and posts. Ring notes that the program won’t enable the agencies to make a “Request for Assistance” on Neighbors, a capability that lets law enforcement ask the public for help with an active investigation. For the time being, that’ll remain reserved to the police departments that’ve partnered with Ring. The new Ring program, while helpful on its face, is unlikely win over consumer advocates who’ve argued the company’s devices are a security threat. As ZebethMedia previously reported, Ring has a history of sharing footage with the government without users’ permission. Between January and July of this year alone, Amazon shared Ring doorbell footage with U.S. authorities 11 times without informing the device owners. Ring has been criticized for working closely with thousands of police departments around the U.S., allowing police to request video doorbell camera footage from homeowners through Neighbors. Ring only began disclosing its connections with law enforcement after the U.S. government sent demands for transparency from the company.

A simple Android lock screen bypass bug landed a researcher $70,000 • ZebethMedia

By zebethcontrolPosted on November 14, 2022Posted in Android, cybersecurity, Google Pixel 6, lock screen, Security, security vulnerabilityNo Comments

Google has paid out $70,000 to a security researcher for privately reporting an “accidental” security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device’s data without having to enter the lock screen’s passcode. Hungary-based researcher David Schütz said the bug was remarkably simple to exploit but took Google about five months to fix. Schütz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android’s operating system’s lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schütz described how he found the bug accidentally, and reported it to Google’s Android team. Android lock screens let users set a numerical passcode, password, or a pattern to protect their phone’s data, or these days a fingerprint or face print. Your phone’s SIM card might also have a separate PIN code set to block a thief from ejecting and physically stealing your phone number. But SIM cards have an additional personal unlocking code, or PUK, to reset the SIM card if the user incorrectly enters the PIN code more than three times. PUK codes are fairly easy for device owners to obtain, often printed on the SIM card packaging or directly from the cell carrier’s customer service. Schütz found that the bug meant that entering a SIM card’s PUK code was enough to trick his fully-patched Pixel 6 phone, and his older Pixel 5, into unlocking his phone and data, without ever visually displaying the lock screen. He warned that other Android devices might also be vulnerable. Since a malicious actor could bring their own SIM card and its corresponding PUK code, only physical access to the phone is required, he said. “The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” said Schütz. Google can pay security researchers up to $100,000 for privately reporting bugs that could allow someone to bypass the lock screen, since a successful exploit would allow access to a device’s data. The bug bounty rewards are high in part to compete with efforts by companies like Cellebrite and Grayshift, which rely on software exploits to build and sell phone cracking technology to law enforcement agencies. In this case, Google paid Schütz a lesser $70,000 bug bounty reward because while his bug was marked as a duplicate, Google was unable to reproduce — or fix — the bug reported before him. Google fixed the Android bug in a security update released on November 5, 2022 for devices running Android 10 through Android 13. You can see Schütz exploiting the bug in his video below.

‘We know who you are’ • ZebethMedia

By zebethcontrolPosted on November 11, 2022Posted in Australia, data breach, hackers, medibank breach, ransomware, SecurityNo Comments

The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers. AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries. In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice. The Australian Federal Police have identified the hackers, revealing they’re located in Russia. We know where they are. And we are working hard to bring them to justice. — Anthony Albanese (@AlboMP) November 11, 2022 Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims. “These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada. The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware. The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication,” the embassy said in a statement on Friday. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.” Russia’s federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges. “Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample,” Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells ZebethMedia. Kershaw said on Friday that the AFP, along with international partners such as Interpol, will “be holding talks with Russian law enforcement about these individuals.” “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” While the AFP has successfully extradited people from Poland, Serbia, and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone.” Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. “Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

Google says surveillance vendor targeted Samsung phones with zero-days • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in Android, mobile spyware, samsung galaxy, SecurityNo Comments

Google says it has evidence that a commercial surveillance vendor was exploiting three zero-day security vulnerabilities found in newer Samsung smartphones. The vulnerabilities, discovered in Samsung’s custom-built software, were used together as part of an exploit chain to target Samsung phones running Android. The chained vulnerabilities allow an attacker to gain kernel read and write privileges as the root user, and ultimately expose a device’s data. Google Project Zero security researcher Maddie Stone said in a blog post that the exploit chain targets Samsung phones with a Exynos chip running a specific kernel version. Samsung phones are sold with Exynos chips primarily across Europe, the Middle East, and Africa, which is likely where the targets of the surveillance are located. Stone said Samsung phones running the affected kernel at the time include the S10, A50, and A51. The flaws, since patched, were exploited by a malicious Android app, which the user may have been tricked into installing from outside of the app store. The malicious app allows the attacker to escape the app sandbox designed to contain its activity, and access the rest of the device’s operating system. Only a component of the exploit app was obtained, Stone said, so it isn’t known what the final payload was, even if the three vulnerabilities paved the way for its eventual delivery. “The first vulnerability in this chain, the arbitrary file read and write, was the foundation of this chain, used four different times and used at least once in each step,” wrote Stone. “The Java components in Android devices don’t tend to be the most popular targets for security researchers despite it running at such a privileged level,” said Stone. Google declined to name the commercial surveillance vendor, but said the exploitation follows a pattern similar to recent device infections where malicious Android apps were abused to deliver powerful nation-state spyware. Earlier this year security researchers discovered Hermit, an Android and iOS spyware developed by RCS Lab and used in targeted attacks by governments, with known victims in Italy and Kazakhstan. Hermit relies on tricking a target into downloading and installing the malicious app, such as a disguised cell carrier assistance app, from outside of the app store, but then silently steals a victim’s contacts, audio recordings, photos, videos, and granular location data. Google began notifying Android users whose devices have been compromised by Hermit. Surveillance vendor Connexxa also used malicious sideloaded apps to target both Android and iPhone owners. Google reported the three vulnerabilities to Samsung in late 2020, and Samsung rolled out patches to affected phones in March 2021, but did not disclose at the time that the vulnerabilities were being actively exploited. Stone said that Samsung has since committed to begin disclosing when vulnerabilities are actively exploited, following Apple and Google, which also disclose in their security updates when vulnerabilities are under attack. “The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices,” Stone added, intimating that further research could unearth new vulnerabilities in custom software built by Android device makers, like Samsung. “It highlights a need for more research into manufacturer specific components. It shows where we ought to do further variant analysis,” said Stone.

Okta CEO opens up about Auth0 acquisition, SaaS slump and Lapsus$ attack • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in auth0, EC Cloud and Enterprise Infrastructure, Enterprise, identity access management, Okta, Security, todd mckinnonNo Comments

Okta launched a cloud identity product back in 2009 when most people were locked into Microsoft Active Directory, an on-prem incumbent so entrenched that nobody believed that anyone could touch it. It took a little audacity to go after a giant like that, but Okta took a cloud-first approach, a markedly different strategy from Active Directory at the time. The company raised over $230 million before going public in 2017. It reached unicorn status with a $75 million raise on a $1.2 billion valuation back in 2015 when the designation meant a little more than it does these days. With ownership of the workforce side of the market, Okta decided to make another bold move when it acquired Auth0 for $6.5 billion during the stock market bubble that accelerated in 2020. The idea behind the deal was not simply to own an identity tool favored by developers — although that was certainly a big part of it — it was really about owning another large piece of the market, one that could make Okta a one-stop identity shop. “There’s a very deep divide between legacy and modern in this market.” Okta CEO Todd McKinnon Okta wanted to own both the workforce market, the core of its approach to that point, as well as the customer identity market where Auth0 lived. And Okta made a substantial bet for a company of its size to make that happen. Okta isn’t alone in the identity space; competitors include companies large and small like ForgeRock, SAP, IBM, Ping Identity, Salesforce, Microsoft, and Akamai, among others. Like every other SaaS company out there, Okta has had a rough year in the public markets, down over 80% in the past year (although it was up almost 10% in midday trading Thursday). It also had to deal with an attack spearheaded by the group Lapsus$ that happened in January but was reported in March — and the fallout from its response. Despite these headwinds, the company has big long-term goals to own the cloud identity market and believes it can ride out the current temporary macroeconomic conditions and the legacy vendors to get there. We sat down with CEO and co-founder Todd McKinnon recently and asked him about how he is navigating these times — and the lessons he’s learned along the way. Growing Auth0 McKinnon emphasized that he spent 14% of his stock value at the time to acquire Auth0, a number he knows off the top of his head, because he wants his company to own the cloud identity market, and he doesn’t think he could do it without Auth0. “We bought them to change, and we bought them because we needed change to win this customer identity market,” he told ZebethMedia. “Our strategy is that we have to win both the workforce market and the customer identity market. And the only way we’re going to turn identity into one of these most important platforms for every company is we have to [own] both use cases.” He said integrating two companies like this didn’t come without challenges, and he may have moved too quickly to bring the products together.

Police arrest suspected LockBit operator as the ransomware gang spills new data • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in ransomware, Security, ThalesNo Comments

A Russian national linked to the LockBit ransomware operation has been arrested over his alleged involvement in attacks targeting critical infrastructure and large industrial groups worldwide. The 33-year-old suspect was arrested in Ontario, Canada on October 26 following an investigation led by the French National Gendarmerie with the help of Europol’s European Cybercrime Centre, the FBI, and the Canadian Royal Canadian Mounted Police. During the arrest, police seized eight computers, 32 external hard drives, and €400,000 in cryptocurrencies, Europol said. The arrest follows a similar action in Ukraine in October last year when a joint international law enforcement operation led to the arrest of two of his accomplices. Europol says the suspect, described as “one of the world’s most prolific ransomware operators,” was one of its high-value targets due to his involvement in numerous high-profile ransomware cases. The EU police agency added that he is known for trying to extort victims with ransom demands between €5 to €70 million. The suspect will now face charges in the United States. An announcement from the U.S. Department of Justice is expected later today. Specific victims targeted by the suspected LockBit operator were not named by Europol. However, France’s involvement in the operation suggests he could be linked to a recent attack on French aerospace and defense group Thales. LockBit, a prominent ransomware operation that’s previously claimed attacks on tech manufacturer Foxconn, U.K. health service vendor Advanced, and IT giant Accenture, added Thales to its leak site on October 31. The group claimed to have published data stolen from the company today, which it describes as “very sensitive” and “high risk” in nature. Contents of the data leak include commercial documents, accounting files and customer files, according to LockBit, though the files had not been published at the time of publication. “As far as customers are concerned, you can approach the relevant organizations to consider taking legal action against this company that has greatly neglected the rules of confidentiality,” a message on the LockBit leak site reads. Thales spokesperson Cedric Leurquin did not immediately respond to our request for comment. LockBit also claims to have today leaked 40 terabytes of data stolen from German automotive giant Continental, and samples of the data suggest that the gang has accessed technical documents and source code. Though a ransom demand was not explicitly stated, the ransomware gang’s leak page claims to offer access to the full tranche of stolen data for $50 million. Continental spokesperson Marc Siedler told ZebethMedia that the company’s investigation into the incident has revealed that “attackers were also able to steal some data from the affected IT systems,” but refused to say what types of data were stolen or how many customers and employees have been affected.

Twitter chief information security officer Lea Kissner departs • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in chief information security officer, Elon Musk, Security, TwitterNo Comments

Twitter’s most senior cybersecurity staffer Lea Kissner has departed the social media giant. Kissner announced the move in a tweet on Thursday, saying they made the “hard decision” to leave Twitter, but did not say for what reason they resigned. Elon Musk completed a $44 billion takeover of Twitter two weeks ago, resulting in layoffs affecting more than half of the company and the departure of senior executives, including CEO Parag Agrawal, general counsel Sean Edgett, and legal policy chief Vijaya Gadde. News of Kissner’s departure was first reported by Casey Newton. Twitter’s chief compliance officer and chief privacy officer also resigned on Wednesday, Newton said. It’s not immediately clear who is responsible for Twitter’s day-to-day security operations following Kissner’s departure. A spokesperson for Twitter did not immediately respond to a request for comment. I’ve made the hard decision to leave Twitter. I’ve had the opportunity to work with amazing people and I’m so proud of the privacy, security, and IT teams and the work we’ve done. I’m looking forward to figuring out what’s next, starting with my reviews for @USENIXSecurity 😁 — Lea Kissner (@LeaKissner) November 10, 2022 Kissner, who previously served as Twitter’s head of privacy engineering, was appointed Twitter’s chief information security officer (CISO) in January 2022 following the departure of security head Peiter “Mudge” Zatko and then-CISO Rinki Sethi. Mudge went on to blow the whistle to federal regulators claiming security mismanagement and lax access controls that put users’ data at risk. Twitter is currently under a 2011 agreement with the Federal Trade Commission which accused Twitter of cybersecurity failings that allowed cybercriminals to access internal systems and user data. The decree mandates that Twitter “establish and maintain a comprehensive information security program” to be audited every decade. It’s not clear how Twitter maintains that compliance with the FTC without a company security lead in place. One employee said in a company Slack that it was for Twitter engineers to “self-certify” compliance with the FTC. Earlier this year, Twitter was fined $150 million for violating that 2011 consent decree for misusing email addresses and phone numbers provided by users to set up two-factor authentication for targeted advertising.

Aiphone door entry systems can be ‘easily’ bypassed thanks to NFC bug • ZebethMedia

By zebethcontrolPosted on November 10, 2022Posted in government, physical security, Security, vulnerabilityNo Comments

A security research firm says it discovered an “easily” exploitable vulnerability in a door entry security system used in government buildings and apartment complexes, but warns that the vulnerability cannot be fixed. Norwegian security company Promon says the bug affects several Aiphone GT models that use NFC technology, often found in contactless credit cards, and allows bad actors to potentially gain access to sensitive facilities by brute-forcing the door entry system’s security code. Door entry systems allow secure access to buildings and residential complexes, but have become increasingly digitized, making them vulnerable to both physical and remote compromise. Aiphone counts both the White House and the U.K. Parliament as customers of the affected systems, according to company brochures seen by ZebethMedia. Promon security researcher Cameron Lowell Palmer said a would-be intruder can use an NFC-capable mobile device to rapidly cycle through every permutation of a four-digit “admin” code used to secure each Aiphone GT door system. Because the system does not limit how many times a code can be tried, Palmer said it takes only minutes to cycle through each of the 10,000 possible four-digit codes used by the door entry system. That code can be punched into the system’s keypad, or transmitted to an NFC tag, allowing bad actors to potentially access restricted areas without having to touch the system at all. In a video shared with ZebethMedia, Palmer built a proof-of concept Android app that allowed him to check every four-digit code on a vulnerable Aiphone door entry system in his test lab. Palmer said the affected Aiphone models do not store logs, allowing a bad actor to bypass the system’s security without leaving a digital trace. Image Credits: Cameron Lowell Palmer / Promon Palmer disclosed the vulnerability to Aiphone in late June 2021. Aiphone told the security company that systems manufactured before December 7, 2021 are affected and cannot be updated, but that systems after this date have a software fix that limits the rate of door entry attempts. It’s not the only bug that Promon discovered in the Aiphone system. Promon also said it discovered that the app used to set up the door entry system offers an unencrypted, plaintext file that contains the administrator code for the system’s back-end portal. Promon said that could allow an intruder to also access the information needed to access restricted areas. Aiphone spokesperson Brad Kemcheff did not respond to requests for comment sent prior to publication. Relatedly, a university student and security researcher earlier this year discovered a “master key” vulnerability in a widely used door entry system built by CBORD, a tech company that provides access control and payment systems to hospitals and university campuses. CBORD fixed the bug after the researcher reported the issue to the company.

Hackers start leaking health data after ransomware attack • ZebethMedia

By zebethcontrolPosted on November 9, 2022Posted in Australia, cybersecurity, health insurance, medibank breach, ransomware, SecurityNo Comments

Medibank has urged its customers to be on high alert after cybercriminals began leaking sensitive medical records stolen from the Australian health insurance giant. A ransomware group with ties to the notorious Russian-speaking REvil gang began publishing the stolen records early Wednesday, including customers’ names, birth dates, passport numbers, and information on medical claims. This comes after Medibank said it would not pay the ransom demand, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.” The cybercriminals selectively separated the first sample of Australian breach victims into “naughty” and “good” lists, with the former including numerical diagnosis codes that appeared to link victims to drug addiction, alcohol abuse, and HIV, according to Agence France-Presse. For example, one record carries an entry that reads “F122,” which corresponds with “cannabis dependence” under the International Classification of Diseases published by the World Health Organization. It’s also believed the leaked data includes the names of high-profile Medibank customers, which likely includes senior Australian government lawmakers, like prime minister Anthony Albanese and cybersecurity minister Clare O’Neil. The portion of data leaked so far, seen by ZebethMedia, also appears to include correspondence of negotiations between the cybercriminals and Medibank CEO David Koczkar. Screenshots of WhatsApp messages suggest that the ransomware group also plans to leak “keys for decrypting credit cards” despite Medibank’s assertion that no banking or credit card details were accessed. “Based on our investigation to date into this cybercrime we currently believe the criminal did not access credit card and banking details,” Medibank spokesperson Liz Green told ZebethMedia in an emailed statement on Wednesday, who deferred to its blog post. The cybercriminal gang behind the Medicare ransomware attack, whose identities are not known but has relied on a variant of REvil’s file-encrypting malware, has so far leaked the personal details of around 200 Medibank customers, a fraction of the data that the group claims to have stolen. Medibank confirmed on Tuesday that the cybercriminals had accessed roughly 9.7 million customers’ personal details and health claims data for almost 500,000 customers. What should victims do? In light of the data leak, which exposed highly confidential information that could be abused for financial fraud, Medibank and the Australian Federal Police are urging customers to be on high alert for phishing scams and unexpected activity across online accounts. Medibank is also advising users to ensure they are not re-using passwords and have multi-factor authentication enabled on any online accounts where the option is available. Medibank also launched a “cyber response support package” for affected customers, Medibank’s Green told ZebethMedia. This includes hardship support, identity protection advice and resources, and reimbursement of government ID replacement fees. The health insurance giant is also providing a wellbeing line, a mental health outreach service, and personal duress alarms. Australia’s federal police are investigating the breach in collaboration with agencies from around the Commonwealth, as well as from the other members of the “Five Eyes” group of intelligence-sharing governments, including the U.K., U.S., Canada, and New Zealand. Operation Guardian, the Australian government’s response to the recent wave of cyberattacks that began with the data breach at telco giant Optus, will be extended to Medibank to protect its customers from “financial fraud and identity theft.” “Operation Guardian will be actively monitoring the clear, dark and deep web for the sale and distribution of Medibank Private and Optus data,” said AFP Assistant Commissioner Cyber Command Justine Gough. “Law enforcement will take swift action against anyone attempting to benefit, exploit or commit criminal offenses using stolen Medibank Private data.” What’s next? In its latest update, Medibank is bracing for the situation to worsen, saying that it “expects the criminal to continue to release files on the dark web.” On its dark web leak site, the cybercriminals said they planned to “continue posting data partially, including confluence, source codes, list of stuff and some files obtained from medi filesystem from different hosts.” Medibank says it will continue to contact all affected customers with specific advice and details of what data the attackers have accessed. However, customers at a heightened risk of being targeted by fraudulent emails should ensure that emails are coming from Medibank. Medibank said it would not ask for personal details over email. If in doubt, don’t click any links. It’s not yet known whether Medibank customers will receive compensation following the breach or whether Medibank will face action for failing to protect users’ confidential medical data. The breach comes just weeks after Australia confirmed an incoming legislative change to the country’s privacy laws, following a long process of consultation on reforms. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches and greater powers for the Australian information commissioner. Two law firms also said on Tuesday that they are investigating whether Medibank had breached its obligations to customers under the country’s Privacy Act. The firms, Bannister Law and Centennial Lawyers, will investigate whether Medibank breached their privacy policy and the terms of their contract with customers and will also assess whether damages should be paid as a result of the breach.

Laika laps up $50M for its automated security compliance platform • ZebethMedia

By zebethcontrolPosted on November 8, 2022Posted in compliance, data protection, Enterprise, laika, SecurityNo Comments

Compliance with privacy and security frameworks like SOC 2, HIPAA and GDPR has become a central component not just of how organizations build trust with their users, but of how organizations work together these days: fail to meet the requirements of these frameworks, and you might lose your business relationship. Today, Laika — one of the bigger startups providing tools to help meet those compliance demands — is announcing $50 million in funding, underscoring the growth in this space. Laika will be using the equity, a Series C, to continue expanding the functionality of its platform and its wider business funnel. Laika today has some 500 customers, with that number growing four-fold in the last 12 months; and it provides integrations for some 100 different software packages to measure how client compliance stacks up across them, with tools including integrated audits, penetration testing and security questionnaires (which are using in RFPs and due diligence ahead of securing contracts). In an interview, Austin Ogilvie, Laika’s co-founder and co-CEO, said the plan will be to expand in both customer numbers and the number of sources Laika can tap to measure data protection and other compliance metrics across an organization’s wider digital footprint. Fin Capital is leading this round, with new backers Centana Growth Partners and previous investors J.P. Morgan Growth Equity Partners, Canapi, and ThirdPrime all also participating, among others not being named. Other notable past investors have included some very big names in the world of fintech, including PayPal, and fintech specialist VCs NYCA and Dash Fund — a fuller list that points to Laika’s traction in financial services in particular. The finance sector has for years at this point been a significant user of compliance software for regulatory and business reasons. But, as Ogilvie pointed out to me, we are long past the point of financial companies being the primary users of compliance tools: that is one reason why growth is motoring along for companies like Laika right now, and why Laika specifically is able to raise a decent round at a time when funding is much harder to come by for startups. On top of this, combined with Laika’s other co-founders Sam Li and Eva Pittas (respectively the co-CEO and COO, with all three pictured above), the three have collective exposure and experience across insurance, data science and risk protection that speaks to the bigger opportunity that the company is tackling. Including this latest Series C, Laika has now raised $98 million in total. While it’s not disclosing valuation, Ogilvie confirmed it was a “healthy step up” from its Series B, which PitchBook notes was $235 million post-money when that closed in 2021. (In other words it’s now more than $335 million.) For a little more context, two of Laika’s close competitors in the world of monitoring data protection compliance, Vanta and Drata, each raised rounds this year that valued them at or just above $1 billion. (See here and here.) Laika’s growing coffers come at a timely moment, and that’s not just because its competitors are also raising. First, the number of compliance frameworks being formed globally is growing; and second, the bigger an organization or its operations, the more complicated the task of ensuring compliance becomes. “Compliance has been a top for at least the last 10 years, but it’s really dialed up in the last three, where there has been just an explosion of these, some regulatory but others like PCI just a non-option when it comes to compliance,” Ogilvie said. “If you sell or work with any brand of consequence, they will do due diligence that includes security assessments, and you also have to demonstrate that you are continuously operating according to those principles.” The biggest customers might have as many as 5,000 vendors that need to be assessed and regularly audited, a task in itself that necessitates automation and a platform approach. But smaller organizations need software, too, often for a slightly different set of reasons, he said. “Some come to us having never needed to look at this. Using Laika will be the first time seeing security assessment document,” Ogilvie said. Others might be using Laika in place of having adequate staff or infosec teams in-house to monitor and maintain these data relationships. Covid, he added, increased the need for these tools, with more working remotely and in the cloud typically needing more apps and more generally a different kind of security and data protection environment. There are a number of compliance tools in the market today — no surprise considering the ever-persistent cybersecurity threats and a growing awareness among regulators and the general public of data protection. Even before Covid really became a vector, the industry was already worth some $32 billion annually. That number is projected to reach nearly $75 billion by 2028. Investors say that Laika — named after the Russian dog, the first non-human sent into space, and a “gentle nod towards pioneering and exploration,” said Ogilvie — stands out by being one of the easier tools to adopt and regularly use. “Laika has filled a unique gap in the rapidly-growing compliance automation and audit management space, by providing the only comprehensive, centralized compliance platform,” said Christian Ostberg, a partner at Fin Capital, in a statement. “By combining automation of InfoSec workflows with the integrated, tech-enabled audits, Laika has set themselves as the clear market leader shaping this fast-growing category.”