For Tallinn-based crypto startup 3Commas, the last week of December 2022 gave little reason to be merry.
Just three days before New Year’s Eve, the founders realised that 100k of their customers’ API keys had been stolen and parts of the database made public on social media. These keys enable users to connect their crypto exchange accounts to 3Commas’ automated trading tools — and are a direct route to stealing customers’ crypto funds.
The company says that it cannot comment on the exact amount of money that was taken, but it has opened an investigation and is working with law enforcement in the different countries where customers were affected. It also hired an external cybersecurity firm to understand how the attack was carried out and to improve the business’s cyber systems.
Now, almost eight months later, the company looks back on the first half of 2023 as “the toughest in the history of 3Commas”.
“Obviously, any data leak hurts,” says Yuriy Sorokin, the cofounder of 3Commas. “Temporarily, this has caused a drop in our business metrics.”
Data breaches are usually associated with big names, huge scandals and hefty fines — think Facebook or Google. But startups, too, are regular targets of malicious online activity. In 2020, hackers leaked one million customer emails from French crypto startup Ledger — and it’s now facing legal action from dozens of those affected.
Gathering exact data on the number and targets of breaches is difficult because they are not always made public. But data compiled by telecoms firm Verizon, which tracks data breach incidents across the world, shows that 58% of recorded attacks in 2022 — and of which the company size was known — concerned small businesses with fewer than 1,000 employees.
Verizon also found that the types of attack and their motives, as well as the profile of attackers, are similar between small and large businesses — and it has become difficult to see any differences at all in attack profiles based on organisational size.
Startups vs hackers
Hackers aren’t just after sensitive data. Cyber attacks can take different forms, ranging from ransomware (when a company’s information or systems are held hostage in exchange for a monetary sum) to cybercrime (tricking somebody into sending money to the wrong person).
These attacks target organisations of all sizes. But it is a risk often underestimated by startups, who don’t see themselves as a prime target for hackers.
“Especially in the early days, from zero to when there are 30, 40, 50 people on board, there isn’t much focus on cybersecurity,” says E. Kenneth Pentimonti, principal at cyber-focused VC Paladin Capital Group.
Cybersecurity company DynaRisk recently analysed the cyber risk profile of portfolio companies for 75 leading VC funds in London, assessing criteria ranging from leaked username and password combinations to the recurrence of company names in hacker groups on the dark web. It found that 65% of portfolio companies showed a high risk of suffering a cyber attack.
In Europe, the majority of SMEs use the basic security controls that come with their IT systems, such as antivirus protection or firewalls, according to research carried out by the European Union Agency for Cybersecurity (ENISA) in 2021. ENISA also found that over 80% of European SMEs process “critical” information — data that would cause the business to face serious repercussions if it is stolen or lost.
“Even early on, companies are going to have IP, trade secrets, communications they want to keep confidential, financial transactions they’ll want to protect,” says Pentimonti. “There should be at least some thinking around this from the onset.”
That means that board members should be paying attention to cyber resilience and that someone on the management team, like the COO, should be responsible for ensuring that robust cybersecurity procedures are in place, according to Pentimonti — but also that policies exist to make every employee aware of cyber risks.
Protecting European data
The consequences of a cyber attack can be catastrophic for a startup. Almost 60% of European SMEs surveyed by ENISA said that a cybersecurity issue could cause them to go bankrupt or go out of business.
Data breaches are particularly compromising in Europe, where the protection of data is strictly regulated by the General Data Protection Regulation (GDPR). Cyber insurance company Cowbell estimates that in the UK, where the Data Protection Act provides a similar level of protection of personal data to the GDPR, the cost of a breach is between £1 and £2 per person. “Let’s say you’ve lost 200k people’s data,” says Simon Hughes, Cowbell’s general manager. “That racks up very quickly.”
Costs include business downtime while remedying the attack or covering legal counsel, but also potential fines and penalties from data protection watchdogs. These costs are likely to have a significantly bigger impact on resource-scarce startups than they are on deep-pocketed tech giants.
Harder to quantify but even more damaging is the reputational cost of a breach. Most users will think twice about giving up using Android the moment Google suffers a data leak. “But if a startup loses my data, I probably won’t go back to them,” says Hughes. “That’s potentially business-ending.”
Although most startups don’t tend to advertise their cybersecurity failures, some examples show the extent to which data breaches can be disruptive. Last year, for example, the data of more than 50k Revolut users was leaked, including names, addresses, emails and account data. In Lithuania, where the fintech has a banking licence, the data protection watchdog has opened an investigation to assess whether Revolut violated the EU’s data protection regulations.
Ledger’s 2020 data breach also had a significant impact on the business’s operations. One million customer email addresses were leaked, on top of the exposure of about 272k records of client emails, first and last names, phone numbers, postal addresses and product purchases. An additional data breach at Ledger’s e-commerce partner Shopify led to a separate leak of 292k records.
In addition to committing resources to finding and prosecuting the hackers behind the attack, the company hired a new chief information security officer and invested in hardening the company’s cybersecurity infrastructure. It also implemented new policies to completely delete customers’ personal data as soon as possible.
The company stated that it would not compensate people affected by the data breach, with CEO Pascal Gauthier publicly acknowledging that given its size, this would kill the business.
In France, around 40 Ledger customers represented by law firm ORWL initiated legal action against the company two years ago. They are claiming that Ledger failed to comply with GDPR requirements and that they were harmfully impacted by the insufficient protection of their data.
Romain Chilly, a lawyer at ORWL who is in charge of the case, says that one customer lost up to €600k in crypto funds as a result of a phishing attack following the data leak.
“There is an obligation in the GDPR to implement adequate security measures,” says Chilly. “Our clients are taking this angle, by emphasising that harmful occurrences were linked to the loss of control of their data, the loss of confidentiality, the invasion of privacy and so on.”
The judicial court of Paris has seized the case and an update is expected by 2024, according to Chilly. The lawyer adds that it is hard to evaluate whether and how much Ledger would be required to pay, if the company is found to have failed to comply with its data protection obligations.
“How do we evaluate the extent to which Ledger should compensate for the consequences of a successful phishing attack?” says Chilly. Ledger declined to comment.
The VC perspective
The reputational damage caused by a cyber attack goes beyond users — VCs can be put off as well, especially those who are sitting on the company’s board. “If credentials ended up on the internet because the company didn’t protect them, I think everyone would be pretty livid at the board,” says Hussein Kanji, partner at VC firm Hoxton Ventures.
A leaky cyber past would also be a red flag for new investors.
“If there is a string of these things which obviously indicate loose security or policy, then next time the company goes out for a fundraising that would be very visible,” says Kanji. “It would come up in due diligence and it would be very problematic for the company to be able to raise money.”