CBP says traveler and license plate images were stolen in data breach

U.S. Customs and Border Protection has confirmed a data breach has involved the photos of passengers traveling in and out of the United States.

The photos were stolen from a subcontractor’s network through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email. The agency first learned of the breach on May 31.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.

When asked, a spokesperson for CBP didn’t say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn’t name the subcontractor involved.

It remains unclear exactly what kind of photos were taken, such as if the images were collected directly from CBP officers by visitors entering the U.S. or part of the agency’s rollout of facial recognition technology at U.S. airports

The agency, which processes millions of travelers entering the U.S. every week, maintains a database of traveler images, including passport and visa photos. The database has come under fire from a federal watchdog which said the accuracy of the system was subpar.

More than a dozen U.S. airports are already rolling out the facial recognition technology, with many more to go before the U.S. government hits its target of enrolling the largest 20 airports in the country before 2021.

More soon…

Maker Faire halts operations and lays off all staff

Financial troubles have forced Maker Media, the company behind crafting publication MAKE: magazine as well as the science and art festival Maker Faire, to lay off its entire staff of 22 and pause all operations. TechCrunch was tipped off to Maker Media’s unfortunate situation which was then confirmed by the company’s founder and CEO Dale Dougherty.

For 15 years, MAKE: guided adults and children through step-by-step do-it-yourself crafting and science projects, and it was central to the maker movement. Since 2006, Maker Faire’s 200 owned and licensed events per year in over 40 countries let attendees wander amidst giant, inspiring art and engineering installations.

Maker Media Inc ceased operations this week and let go of all of its employees — about 22 employees” Dougherty tells TechCrunch. “I started this 15 years ago and it’s always been a struggle as a business to make this work. Print publishing is not a great business for anybody, but it works…barely. Events are hard . . . there was a drop off in corporate sponsorship.” Microsoft and Autodesk failed to sponsor this year’s flagship Bay Area Maker Faire.

But Dougherty is still desperately trying to resuscitate the company in some capacity, if only to keep MAKE:’s online archive running and continue allowing third-party organizers to license the Maker Faire name to throw affiliated events. Rather than bankruptcy, Maker Media is working through an alternative Assignment for Benefit of Creditors process.

“We’re trying to keep the servers running” Dougherty tells me. “I hope to be able to get control of the assets of the company and restart it. We’re not necessarily going to do everything we did in the past but I’m committed to keeping the print magazine going and the Maker Faire licensing program.” The fate of those hopes will depend on negotiations with banks and financiers over the next few weeks. For now the sites remain online.

The CEO says staffers understood the challenges facing the company following layoffs in 2016, and then at least 8 more employees being let go in March according to the SF Chronicle. They’ve been paid their owed wages and PTO, but did not receive any severance or two-week notice.

“It started as a venture-backed company but we realized it wasn’t a venture-backed opportunity” Dougherty admits, as his company had raised $10 million from Obvious Ventures, Raine Ventures, and Floodgate. “The company wasn’t that interesting to its investors anymore. It was failing as a business but not as a mission. Should it be a non-profit or something like that? Some of our best successes for instance are in education.”

The situation is especially sad because the public was still enthusiastic about Maker Media’s products  Dougherty said that despite rain, Maker Faire’s big Bay Area event last week met its ticket sales target. 1.45 million people attended its events in 2016. MAKE: magazine had 125,000 paid subscribers and the company had racked up over one million YouTube subscribers. But high production costs in expensive cities and a proliferation of free DIY project content online had strained Maker Media.

“It works for people but it doesn’t necessarily work as a business today, at least under my oversight” Dougherty concluded. For now the company is stuck in limbo.

Regardless of the outcome of revival efforts, Maker Media has helped inspire a generation of engineers and artists, brought families together around crafting, and given shape to a culture of tinkerers. The memory of its events and weekends spent building will live on as inspiration for tomorrow’s inventors.

7.7 million LabCorp records stolen in same hack affecting Quest

LabCorp is the latest laboratory testing giant this week to confirm it’s affected by the same third-party data breach.

The Burlington, North Carolina-based medical giant said 7.7 million patients had their personal and financial data stolen by hackers, which hit the payment pages of the American Medical Collection Agency, a third-party vendor that processes payments for LabCorp and other companies.

The admission comes a day after Quest Diagnostics around 11.9 million patients had their data stolen.

In a filing with the Securities and Exchange Commission, LabCorp said the stolen data includes a patient’s name, date of birth, address, phone number, date of service, provider, and balance information.

“AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA,” said the filing. Some 200,000 patients will receive more detailed notices that their financial information was taken.

But LabCorp said no medical data or lab and diagnostic results data was taken.

Like the Quest breach, LabCorp’s data incident dated back to August 1, 2018 until March 30, 2019.

The total number of patients affected by the AMCA payments page breach stands at just shy of 20 million. Given the company provides payment and bill collection services to a broad range of businesses, we may see similar notices dropping in the near future.

Verified Expert Growth Marketing Agency: Bell Curve

Bell Curve founder Julian Shapiro describes his team as talented growth marketers who have a long tail expertise of various channels and who aren’t afraid to play part-time therapists. As an agency, they’re comfortable grounding founder expectations by explaining “No, virality isn’t a dependable growth strategy,” but “Hey, we can come up with a better strategy together.”

Bell Curve, the agency, also runs Demand Curve, a remote growth marketing training program that teaches students (and marketing professionals) the ins and outs of performance marketing.

For a glimpse of how Bell Curve thinks about growth marketing, check out Julian’s guest posts about how startups can actually get content marketing to work and how founders can hire a great growth marketer.

What makes Bell Curve different:

“Bell Curve runs a growth bootcamp which we took in February. It radically improved our growth rate, gave us access to enough data to experiment with, and as a result we built an engine for growth that we could continue to tune.” Gil Akos, SF, CEO & Co-founder, Astra
“We run a program where we train companies to run ads on every channel. So, what makes Bell Curve unique is that we, by necessity, have a deep understanding of many more channels than the average agency. We have an archive of tactics and approaches that we’ve accumulated for how to do them just as well as the big ad channels.

In effect, companies come to us when they need expertise beyond Facebook, Google and Instagram, which we still bring to the table, but when they also need to figure out how to make Quora ads profitable, how to get Reddit working, how to get YouTube videos working, Snapchat, Pinterest, etc. These are channels people don’t specialize in enough and so we also bring that long tail of expertise.”

On common misconceptions about growth:

“A common mistake people make coming into growth is thinking that growth hacks are a meaningful thing. The ultimate growth hack is having the self-discipline to pursue growth fundamentals properly and completely. So, things like properly A/B testing, identifying your most enticing value propositions and articulating them clearly and concisely, bringing in deep channel expertise for Facebook, Instagram, Google Search, and a couple of other channels. These are the tenants of making digital growth work. Not one-off hacks.”

Below, you’ll find the rest of the founder reviews, the full interview, and more details like pricing and fee structures. This profile is part of our ongoing series covering startup growth marketing agencies with whom founders love to work, based on this survey and our own research. The survey is open indefinitely, so please fill it out if you haven’t already.


Interview with Bell Curve Founder Julian Shapiro

Yvonne Leow: Can you tell me a little bit about how you got into this game of growth?

Julian Shapiro: I actually started by running growth for friends’ companies because they had a hard time finding experienced growth marketers. After a year and a half of doing this, I realized it’d be a more stable source of income if I formed an agency. It’d also allow me to pattern match so I could exchange learnings among clients and have a better net performance.

It all came together very quickly. Once Bell Curve hit about 10 clients, we had enough strategic and customer acquisition overlap that we were able to share tactics, double our volume of A/B testing, and get better results. It also gave us the ability to hire out a full-fledged team so we could start specializing, whereas, as a contractor, I was too much of a generalist. I wasn’t able to go deep on certain channels, like Snapchat or Pinterest ads.

Quest Diagnostics says 11.9 million credit cards and medical records skimmed by hackers

Medical testing giant Quest Diagnostics has confirmed a third-party billing company has been hit by a data breach affecting 11.9 million patients.

The laboratory testing company revealed the data breach in a filing on Monday with the Securities and Exchange Commission.

According to the filing, the breach was as a result of malicious code found on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest. The code skimmed information put into the website, like credit card numbers, as well as medical information and personal data from the site.

But laboratory tests were not included in the stolen data, Quest said.

The malicious skimming code dated back to August 1, 2018 until May 31, 2019, said Quest, but noted that it has “not been able to verify the accuracy of the information” from the AMCA.

Quest said it has since stopped sending collection requests to the vendor while it investigates, and has hired outside security experts to understand the damage.

It’s far from the first company to be hit by skimming malware. Highly targeted credit card skimming attacks hit Ticketmaster, British Airways, and consumer electronics giant Newegg in the past year, affecting millions of customers. The so-called Magecart group of hackers would break into vulnerable website and install the malicious code to skim and send data back to the hacker-controlled servers.

It’s not known who was behind Quest’s data breach,

A spokesperson for the American Medical Collection Agency did not immediately comment when contacted.

Read more:

Flipboard hacks prompt password resets for millions of users

Social sharing site and news aggregator Flipboard has reset millions of user passwords after hackers gained access to its systems several times over a nine-month period

The company confirmed in a notice Tuesday that the hacks took place between June 2, 2018 and March 23, 2019 and a second time on April 21-22, 2019, but the intrusions were only detected a day later on April 23.

Hackers stole usernames, email addresses, passwords and account tokens for third-party services. According to the notice, “not all” Flipboard users’ account data were involved in the breaches but the company declined to say how many users were affected.

Flipboard has more than 150 million monthly users.

“We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens,” the notice read.

Although the passwords were unreadable, Flipboard said passwords prior to March 14, 2012 were scrambled using the older, weak hashing SHA-1 algorithm.. Any passwords changed after are scrambled using a much stronger algorithm that makes it far more difficult to reveal in a usable format.

The hacks also exposed account tokens, which gives Flipboard access to data from accounts on other services, like Facebook, Google, and Samsung.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts,” said the statement. “As a precaution, we have replaced or deleted all digital tokens.”

Flipboard becomes the latest tech giant to be hit by hackers in recent months. Developer platform Stack Overflow earlier this month confirmed a breach involved some user data. Canva, one of the biggest sites on the internet, was also hacked. Last week, the Australia-based company admitted close to 140 million users had data stolen following the breach.

Read more:

How to see another company’s growth tactics and try them yourself

Every company’s online acquisition strategy is out in the open. If you know where to look.

This post shows you exactly where to look, and how to reverse engineer their growth tactics.

Why is this important? Competitive analysis de-risks your own growth experiments: You find the best growth ideas to adopt and the worst ones to avoid.

First, a warning: Your goal is not to repurpose another company’s hard work. That makes you a thief. Your goal is to identify other companies who face the same growth challenges as you, then to study their approaches for solutions to draw from.

As I walk through uncovering a competitor’s tactics, keep in mind which competitors are worth looking at: For instance, you should rarely over-analyze early-stage companies. They’re unlikely to be methodical at growth.

Meaning, if you blindly copy their site and their ads, it’s possible you’ll be copying tactics that are not actually responsible for their growth. Their success may instead be from network effects or other hidden factors.

Instead, it’s safest to get inspiration from companies who’ve sustained high growth rates for a long time, and who face the same growth challenges as you. They’re likely to have sophisticated growth operations worth studying deeply. Examples include:

  • Pinterest
  • Airbnb
  • Amazon
  • Facebook
  • Uber

If these aren’t your direct competitors, don’t worry. You don’t need to audit a direct competitor’s tactics to get incredibly valuable insights.

You can look past direct competitors.

You’ll gain useful insights from auditing the user acquisition funnel of any company who has a similar audience and business model.

Examples of audiences:

  • Wealthy consumers
  • Enterprise businesses
  • Middle-class adults who use Chrome
  • Dog owners
  • And so on

Audiences matter because their behaviors and needs differ wildly. Each requires its own growth strategy. You want to audit a company whose audiences is similar to yours.

You also want to ensure the company shares your business model. Examples include:

  • A high-touch sales process with multiple phone calls
  • A consumer ecommerce site with easy checkout
  • A self-serve SaaS signup with a freemium plan
  • A pay-to-play mobile game
  • And so on

Each model may necessitate different ads, landing pages, automated emails, and sales collateral.

The process

Never implement another company’s tactics blindly.

There’s an effective process for growth analysis, and it looks like this:

  1. Source potential growth ideas.
  2. Prioritize them.
  3. A/B test them.
  4. Measure if an A/B variant significantly outperformed its baseline and whether the cost of implementing the winner would be worthwhile.
  5. Only then should you implement it.

An example

Here’s a brief example before we dive into tactics.

Let’s pretend we’re a SaaS company offering consumer banking tools, and that we’re struggling to get users to onboard our app. Our hypothesis is that visitors are bouncing because they don’t trust us with their sensitive information.

Our first step is to define both our audience and our business model:

  • Audience: Tech-savvy, adult consumers.
    Business model: SaaS freemium funnel.

Our next step is to look for companies who share those two aspects. (We can find them on Crunchbase.)

Once we have a few in hand, we look for how they handle customers’ sensitive information throughout their funnel. Specifically, we audit their:

It’s time to learn how we audit all that. I’ll share how our marketer training program teaches marketers to do this on the job.

Tactic #1: How to see a company’s A/B tests

CFIUS Cometh: What this Obscure Agency Does and Why It Matters to Your Fund or Startup

On January 12, 2016, Grindr announced it had sold a 60% controlling stake in the company to Beijing Kunlun Tech, a Chinese gaming firm, valuing the company at $155 million. Champagne bottles were surely popped at the small-ish firm.

Though not at a unicorn-level valuation, the 9-figure exit was still respectable and signaled a bright future for the gay hookup app. Indeed, two years later, Kunlun bought the rest of the firm at more than double the valuation and was planning a public offering for Grindr.

On March 27, 2019, it all fell apart. Kunlun was putting Grindr up for sale instead.

What went wrong? It wasn’t that Grindr’s business ground to a halt. By all accounts, its business seems to actually be growing. The problem was that Kunlun owning Grindr was viewed as a threat to national security. Consequently, CFIUS, or the Committee for Foreign Investment in the United States, stepped in to block the transaction.

So what changed? CFIUS was expanded by FIRRMA, or the Foreign Risk Review Modernization Act, in late 2018, which gave it massive new power and scale. Unlike before, FIRRMA gave CFIUS a technology focus. So now CFIUS isn’t just an American problem—it’s an American tech problem. And in the coming years, it will transform venture capital, Chinese involvement in US tech, and maybe even startups as we know it.

Here’s a closer look at how it all fits together.

What is CFIUS?

Image via Getty Images / Busà Photography

CFIUS is the most important agency you’ve never heard of, and until recently it wasn’t even more than a committee. In essence, CFIUS has the ability to stop foreign entities, called “covered entities,” from acquiring companies when it could adversely affect national security—a “covered transaction.”

Once a filing is made, CFIUS investigates the transaction and both parties, which can take over a month in its first pass. From there, the company and CFIUS enter a negotiation to see if they can resolve any issues.

Spotify resets some account passwords citing ‘suspicious activity’

Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.

In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.

When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”

In other words, Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

We asked several people who received the email reset message. Some used the same password across different websites and some used passwords unique to Spotify. Two people who commented on this Hacker News thread also said their passwords were unique, casting doubt on the veracity of a credential stuffing attack.

It’s not uncommon for companies to reset user passwords if they believe they are weak or easily guessed. Companies typically don’t store user passwords in plaintext. Instead, they scramble passwords using a hashing algorithm. By scrambling lists of weak or stolen passwords using the same algorithm, companies can match weak passwords against their own databases and proactively send out password reset emails.

Netflix, Facebook, and Spotify too have all proactively reset account passwords in the aftermath of third-party data breaches by obtaining the dataset and matching exposed passwords against their databases.

Spotify did not respond to our follow-up questions.

Customers of Chipotle, DoorDash, and OkCupid have all reported account hacks in recent months. All three have denied data breaches.

Myneral.me wins the TechCrunch Hackathon at VivaTech

It’s been a long night at VivaTech. The building hosted a very special competition — the TechCrunch Hackathon in Paris.

Hundreds of engineers and designers got together to come up with something cool, something neat, something awesome. The only condition was that they only had 36 hours to work on their projects. Some of them were participating in our event for the first time, while others were regulars. Some of them slept on the floor in a corner, while others drank too much Red Bull.

We could all feel the excitement in the air when the 64 teams took the stage to present a one-minute demo to impress fellow coders and our judges. But only one team could take home the grand prize and €5,000. So, without further ado, meet the TechCrunch Hackathon winner.

Winner: Myneral.me

Current mining operations lack transparency and clarity in the way they are monitored. In order to understand how a material went from initial discovery in the mine to end product, a new tool is necessary to monitor operations. Myneral.me offers an all-encompassing platform for the metal and mining sector that showcases CSR to both industry partners and end users. Find out more on Myneral.me.

Runner-Up #1: Vyta

Vyta takes patient information and helps doctors understand which patient needs to be treated first. A simple tool like this could make things smoother for everyone at the emergency room and improve treatments.

Runner-Up #2: Scrub

SCRUB = SCRUM + BUGS. Easily track your errors across applications and fix them using our algorithmic suggestions and code samples. Our open-source bug tracker automagically collects all errors for you. Find out more on GitHub.

Runner-Up #3: Chiche

Finding the future upcoming brand depends on the set of data you are using to detect it. First, they do a simple quantification of the most famous brands on social medias to identify three newcomers. Second, they use Galerie Lafayette’s website as a personal shopping tool to propose customers the most adequate product within the three newcomers.


Judges

Dr. Aurélie Jean has been working for more than 10 years as a research scientist and an entrepreneur in computational sciences, applied to engineering, medicine, education, economy, finance and journalism. In the past, Aurélie worked at the Massachusetts Institute of Technology and at Bloomberg. Today, Aurélie works and lives between USA and France to run In Silico Veritas, a consulting agency in analytics and computer simulations. Aurélie is an advisor at the Boston Consulting Group and an external collaborator for The Ministry of Education of France. Aurélie is also a science editorial contributor for Le Point, teaches algorithms in universities and conducts research.

Julien Meraud has a solid track record in e-commerce after serving international companies for several years, including eBay, PriceMinister and Rakuten. Before joining Doctolib, Julien was CMO of Rakuten Spain, where he improved brand online acquisition, retention, promotions and campaigns. Julien joined Doctolib at the very beginning (2014), becoming the company’s first CMO and quickly holding CPO functions additionally. At Doctolib, Julien also leads Strategy teams that are responsible for identifying and sizing Doctolib’s potential new markets. Julien has a Master’s degree in Marketing, Statistics and Economics from ENSAI and a specialized Master in Marketing Management from ESSEC Business School.

Laurent Perrin is the co-founder and CTO of Front, which is reinventing email for teams. Front serves more than 5,000 companies and has raised $79 million in venture funding from investors such as Sequoia Capital, DFJ and Uncork Capital. Prior to Front, Laurent was a senior engineer at various startups and helped design scalable real-time systems. He holds a Master’s in Computer Science from École Polytechnique and Télécom ParisTech.

Neesha Tambe is the head of Startup Battlefield, TechCrunch’s global startup launch competition. In this role she sources, recruits and vets thousands of early-stage startups per year while training and coaching top-tier startups to launch in the infamous Startup Battlefield competition. Additionally, she pioneered the concept and launched CrunchMatch, the networking program at TechCrunch events that has facilitated thousands of connections between founders, investors and the startup community at-large. Prior to her work with TechCrunch, Neesha ran the Sustainable Brands’ Innovation Open — a startup competition for shared value and sustainability-focused startups with judges from Fortune 50 companies.

Renaud Visage is the technical co-founder of San Francisco-based Eventbrite (NYSE: EB), the globally leading event technology platform that went public in September 2018. Renaud is also an angel investor, guiding founders that are solving challenging technical problems in realizing their global ambitions, and he works closely with seed VC firm Point Nine Capital as a board partner, representing the fund on the board of several of their portfolio companies. Renaud also serves on the board of ShareIT, the Paris-based tech for good acceleration program launched in collaboration with Ashoka, and is an advisor to the French impact investing fund, Ring for Good. In 2014, Renaud was included in Wired UK’s Top 100 digital influencers in Europe.

In addition to our judges, here’s the hackmaster who was the MC for the event:

Romain Dillet is a senior writer at TechCrunch. Originally from France, Romain attended EMLYON Business School, a leading French business school specialized in entrepreneurship. He covers many things, from mobile apps with great design to privacy, security, fintech, Apple, AI and complex tech achievements. He also speaks at major tech conferences. He likes pop culture more than anything in the world. He now lives in Paris when he’s not on the road. He used to live in New York and loved it.