What we can learn from edtech startups’ expansion efforts in Europe

It’s a story common to all sectors today: investors only want to see ‘uppy-righty’ charts in a pitch. However, edtech growth in the past 18 months has ramped up to such an extent that companies need to be presenting 3x+ growth in annual recurring revenue to even get noticed by their favored funds.

Some companies are able to blast this out of the park — like GoStudent, Ornikar and YouSchool — but others, arguably less suited to the conditions presented by the pandemic, have found it more difficult to present this kind of growth.

One of the most common themes Brighteye sees in young companies is an emphasis on international expansion for growth. To get some additional insight into this trend, we surveyed edtech firms on their expansion plans, priorities and pitfalls. We received 57 responses and supplemented it with interviews of leading companies and investors. Europe is home 49 of the surveyed companies, six are based in the U.S., and three in Asia.

Going international later in the journey or when more funding is available, possibly due to a VC round, seems to make facets of expansion more feasible. Higher budgets also enable entry to several markets nearly simultaneously.

The survey revealed a roughly even split of target customers across companies, institutions and consumers, as well as a good spread of home markets. The largest contingents were from the U.K. and France, with 13 and nine respondents respectively, followed by the U.S. with seven, Norway with five, and Spain, Finland, and Switzerland with four each. About 40% of these firms were yet to foray beyond their home country and the rest had gone international.

International expansion is an interesting and nuanced part of the growth path of an edtech firm. Unlike their neighbors in fintech, it’s assumed that edtech companies need to expand to a number of big markets in order to reach a scale that makes them attractive to VCs. This is less true than it was in early 2020, as digital education and work is now so commonplace that it’s possible to build a billion-dollar edtech in a single, larger European market.

But naturally, nearly every ambitious edtech founder realizes they need to expand overseas to grow at a pace that is attractive to investors. They have good reason to believe that, too: The complexities of selling to schools and universities, for example, are widely documented, so it might seem logical to take your chances and build market share internationally. It follows that some view expansion as a way of diversifying risk — e.g. we are growing nicely in market X, but what if the opportunity in Y is larger and our business begins to decline for some reason in market X?

International expansion sounds good, but what does it mean? We asked a number of organizations this question as part of the survey analysis. The responses were quite broad, and their breadth to an extent reflected their target customer groups and how those customers are reached. If the product is web-based and accessible anywhere, then it’s relatively easy for a company with a good product to reach customers in a large number of markets (50+). The firm can then build teams and wider infrastructure around that traction.

Billogram, provider of a payments platform specifically for recurring billing, raises $45M

Payments made a huge shift to digital platforms during the Covid-19 pandemic — purchasing moved online for many consumers and businesses; and a large proportion of those continuing to buy and sell in-person went cash-free. Today a startup that has been focusing on one specific aspect of payments — recurring billing — is announcing a round of funding to capitalize on that growth with expansion of its own. Billogram, which has built a platform for third parties to build and handle any kind of recurring payments (not one-off purchases), has closed a round of $45 million.

The funding is coming from a single investor, Partech, and will be used to help the Stockholm-based startup expand from its current base in Sweden to six more markets, Jonas Suijkerbuijk, Billogram’s CEO and founder, said in an interview, to cover more of Germany (where it’s already active now), Norway, Finland, Ireland, France, Spain, and Italy.

The company got its start working with SMBs in 2011 but pivoted some years later to working with larger enterprises, which make up the majority of its business today. Suijkerbuijk said that in 2020, signed deals went up by 300%, and the first half of 2021 grew 50% more on top of that. Its users include utilities like Skanska Energi and broadband company Ownit, and others like remote healthcare company Kry, businesses that take invoice and take monthly payments from their customers.

While there has been a lot of attention around how companies like Apple and Google are handling subscriptions and payments in apps, what Billogram focuses on is a different beast, and much more complex: it’s more integrated into the business providing services, and it may involve different services, and the fees can vary over every billing period. It’s for this reason that, in fact, even big companies in the realm of digital payments, like Stripe, which might even already have products that can help manage subscriptions on their platforms, partner with companies like Billogram to build the experiences to manage their more involved kinds of payment services.

I should point out here that Suijkerbuijk told me that Stripe recently became a partner of Billograms, which is very interesting… but he also added that a number of the big payments companies have talked to Billogram. He also confirmed that currently Stripe is not an investor in the company. “We have a very good relationship,” he said.

It’s not surprising to see Stripe and others wanting to more in the area of more complex, recurring billing services. Researchers estimate that the market size (revenues and services) for subscription and recurring billing will be close to $6 billion this year, with that number ballooning to well over $10 billion by 2025. And indeed, the effort to make a payment or any kind of transaction will continue to be a point of friction in the world of commerce, so any kinds of systems that bring technology to bear to make that easier and something that consumers or businesses will do without thinking about it, will be valuable, and will likely grow in dominance. (It’s why the more basic subscription services, such as Prime membership or a Netflix subscription, or a cloud storage account, are such winners.)

Within that very big pie, Suijkerbuijk noted that rather than the Apples and Googles of the world, the kinds of businesses that Billogram currently competes against are those that are addressing the same thornier end of the payments spectrum that Billogram is. These include a wide swathe of incumbent companies that do a lot of their business in areas like debt collection, and other specialists like Scaleworks-backed Chargify — which itself got a big investment injection earlier this year from Battery Ventures, which put $150 million into both it and another billing provider, SaaSOptics, in April.

The former group of competitors are not currently a threat to Billogram, he added.

“Debt collecting agencies are big on invoicing, but no one — not their customers, nor their customers’ customers — loves them, so they are great competitors to have,” Suijkerbuijk joked.

This also means that Billogram is not likely to move into debt collection itself as it continues to expand. Instead, he said, the focus will be on building out more tools to make the invoicing and payments experience better and less painful to customers. That will likely include more moves into customer service and generally improving the overall billing experience — something we have seen become a bigger area also during the pandemic, as companies realized that they needed to address non-payments in a different way from how their used to, given world events and the impact they were having on individuals.

“We are excited to partner with Jonas and the team at Billogram.” says Omri Benayoun, General Partner at Partech, in a statement. “Having spotted a gap in the market, they have quietly built the most advanced platform for large B2C enterprises looking to integrate billing, payment, and collection in one single solution. In our discussion with leading utilities, telecom, e-health, and all other clients across Europe, we realized how valuable Billogram was for them in order to engage with their end-users through a top-notch billing and payment experience. The outstanding commercial traction demonstrated by Billogram has further cemented our conviction, and we can’t wait to support the team in bringing their solution to many more customers in Europe and beyond!”

US blames China for Exchange server hacks and ransomware attacks

The Biden administration and its allies has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise.

Several allies, including the U.K. and the members of NATO, also backed the Biden administration in its findings. In a statement, the U.K. government found Beijing responsible for a “pervasive pattern” of hacking. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

Tesla faces $163M payout to drivers in Norway following court decision

A Norwegian conciliation council has ordered Tesla to pay thousands of dollars each to Model S owners after it found that a software update led to longer charging times, the Norwegian newspaper Nettavisen reported Monday. Drivers eligible for compensation under the ruling will receive 136,000 kroner ($16,000) each.

Thirty Tesla drivers brought a complaint to the conciliation council in December 2020, citing that charging times slowed down after a software update the previous year. The poorer performance affected Tesla Model S vehicles manufactured between 2013 and 2015.

Tesla sold about 10,000 Model S vehicles during that timeframe in Norway. That means Tesla faces an overall payout of up to 1.36 kroner ($163 million), Nettavisen said.

Tesla did not respond to the complaint prior to the judgement being issued and it has until May 30 to pay the fine. The company has the opportunity to appeal the ruling to the Oslo Conciliation Board by June 17.

This is not the first time Tesla has faced complaints on charging speeds in court. A Tesla owner in 2019 filed a lawsuit against the EV manufacturer in the Northern California federal court alleging fraud and decreased battery range following a software update.

Norway leads Europe in the number of EVs on the road, with battery electric vehicles accounting for 54% of all new vehicle sales in 2020, according to the Norweigan Road Federation. Audi e-trons were the most popular vehicle sold, followed by the Model 3.

Chinese EV maker NIO is stepping outside of China for the first time

Chinese electric vehicle maker NIO has chosen a Norway — an EV hotspot — for its first foray into international markets. NIO Norway will offer a European version of ES8, NIO’s flagship electric SUV, to Norwegian customers from September this year. The ET7 sedan will follow in 2022.

“The decision to have Norway as our first destination overseas is backed by long-term thinking,” NIO founder William Li explained at an event Thursday. “Norway is the most EV-friendly company.” Among the European countries, Norway is the biggest adopter of battery electric vehicles. The company’s relationship with Norway stretches back to 2018 when Norges Bank, the country’s sovereign fund, gave the automaker “critical support” during its initial public offering, Li said at the event. Nio signed a strategic partnership agreement with the Norwegian EV Association, also in 2018.

That high EV adoption rate also means Nio will be making its pitch to a growing consumer base of savvy EV owners. In Norway, Nio will face competition from Chinese automakers like XPeng, international rivals Tesla and European automakers such as Volkswagen and Audi.

In addition to vehicle sales, the company also detailed plans to open dedicated service centers, vehicle charging stations and its Nio Power Swap battery swapping stations to Norway. The company aims to build four battery swapping stations around Oslo by the end of 2021, with additional swapping stations coming to the Norwegian cities Bergen, Trondheim, Stavanger and Kristiansand in 2022. Nio’s Norway team is composed of around 15 people, but that number is expected to grow to around 50 by the end of 2021, according to the company.

The Chinese automaker has had a slow start since its founding in 2014, but started gaining ground in the second half of 2020 through the latest quarter. Nio reported deliveries of 20,060 vehicles in the first quarter, a 422.7% jump from the same period last year when COVID-19 was busy upending the economy on a global scale. Sales in the first quarter of 2021 were also 15.6% higher from the fourth quarter. It has delivered 102,000 vehicles to date. These deliveries helped the company increase its vehicle sales by 489% compared to the first quarter of 2019.

Still, Nio is losing money, albeit the gap between revenues and net loss continues to narrow.

The boost in sales was likely due in part to the January debut of the ET7, its flagship electric sedan and the first vehicle model to be fitted with its so-called “NIO Autonomous Driving” software. The company has been an outlier when it comes to charging, adopting a battery swap option in addition to traditional plug and charge stations. Nio has already completed more than 2.4 million swaps for Chinese users, Li said – a number that’s growing  by 10,000 every day. Last August, the company also debuted its “battery-as-a-service” purchasing option, which allows drivers to lease the battery from the company and only purchase the vehicle.

Disqus facing $3M fine in Norway for tracking users without consent

Disqus, a commenting plugin that’s used by a number of news websites and which can share user data for ad targeting purposes, has got into hot water in Norway for tracking users without their consent.

The local data protection agency said today it has notified the U.S.-based company of an intent to fine it €2.5 million (~$3M) for failures to comply with requirements in Europe’s General Data Protection Regulation (GDPR) on accountability, lawfulness and transparency.

Disqus’ parent, Zeta Global, has been contacted for comment.

Datatilsynet said it acted following a 2019 investigation in Norway’s national press — which found that default settings buried in the Disqus’ plug-in opted sites into sharing user data on millions of users in markets including the U.S.

And while in most of Europe the company was found to have applied an opt-in to gather consent from users to be tracked — likely in order to avoid trouble with the GDPR — it appears to have been unaware that the regulation applies in Norway.

Norway is not a member of the European Union but is in the European Economic Area — which adopted the GDPR in July 2018, slightly after it came into force elsewhere in the EU. (Norway transposed the regulation into national law also in July 2018.)

The Norwegian DPA writes that Disqus’ unlawful data-sharing has “predominantly been an issue in Norway” — and says that seven websites are affected: NRK.no/ytring, P3.no, tv.2.no/broom, khrono.no, adressa.no, rights.no and document.no.

“Disqus has argued that their practices could be based on the legitimate interest balancing test as a lawful basis, despite the company being unaware that the GDPR applied to data subjects in Norway,” the DPA’s director-general, Bjørn Erik Thon, goes on.

“Based on our investigation so far, we believe that Disqus could not rely on legitimate interest as a legal basis for tracking across websites, services or devices, profiling and disclosure of personal data for marketing purposes, and that this type of tracking would require consent.”

“Our preliminary conclusion is that Disqus has processed personal data unlawfully. However, our investigation also discovered serious issues regarding transparency and accountability,” Thon added.

The DPA said the infringements are serious and have affected “several hundred thousands of individuals”, adding that the affected personal data “are highly private and may relate to minors or reveal political opinions”.

“The tracking, profiling and disclosure of data was invasive and nontransparent,” it added.

The DPA has given Disqus until May 31 to comment on the findings ahead of issuing a fine decision.

Publishers reminded of their responsibility

Datatilsynet has also fired a warning shot at local publishers who were using the Disqus platform — pointing out that website owners “are also responsible under the GDPR for which third parties they allow on their websites”.

So, in other words, even if you didn’t know about a default data-sharing setting that’s not an excuse because it’s your legal responsibility to know what any code you put on your website is doing with user data.

The DPA adds that “in the present case” it has focused the investigation on Disqus — providing publishers with an opportunity to get their houses in order ahead of any future checks it might make.

Norway’s DPA also has some admirably plain language to explain the “serious” problem of profiling people without their consent. “Hidden tracking and profiling is very invasive,” says Thon. “Without information that someone is using our personal data, we lose the opportunity to exercise our rights to access, and to object to the use of our personal data for marketing purposes.

“An aggravating circumstance is that disclosure of personal data for programmatic advertising entails a high risk that individuals will lose control over who processes their personal data.”

Zooming out, the issue of adtech industry tracking and GDPR compliance has become a major headache for DPAs across Europe — which have been repeatedly slammed for failing to enforce the law in this area since GDPR came into application in May 2018.

In the UK, for example (which transposed the GDPR before Brexit so still has an equivalent data protection framework for now), the ICO has been investigating GDPR complaints against real-time bidding’s (RTB) use of personal data to run behavioral ads for years — yet hasn’t issued a single fine or order, despite repeatedly warning the industry that it’s acting unlawfully.

The regulator is now being sued by complainants over its inaction.

Ireland’s DPC, meanwhile — which is the lead DPA for a swathe of adtech giants which site their regional HQ in the country — has a number of open GDPR investigations into adtech (including RTB). But has also failed to issue any decisions in this area almost three years after the regulation begun being applied.

Its lack of action on adtech complaints has contributed significantly to rising domestic (and European) pressure on its GDPR enforcement record more generally, including from the European Commission. (And it’s notable that the latter’s most recent legislative proposals in the digital arena include provisions that seek to avoid the risk of similar enforcement bottlenecks.)

The story on adtech and the GDPR looks a little different in Belgium, though, where the DPA appears to be inching toward a major slap-down of current adtech practices.

A preliminary report last year by its investigatory division called into question the legal standard of the consents being gathered via a flagship industry framework, designed by the IAB Europe. This so-called ‘Transparency and Consent’ framework (TCF) was found not to comply with the GDPR’s principles of transparency, fairness and accountability, or the lawfulness of processing.

A final decision is expected on that case this year — but if the DPA upholds the division’s findings it could deal a massive blow to the behavioral ad industry’s ability to track and target Europeans.

Studies suggest Internet users in Europe would overwhelmingly choose not to be tracked if they were actually offered the GDPR standard of a specific, clear, informed and free choice, without any loopholes or manipulative dark patterns.

China’s Xpeng in the race to automate EVs with lidar

Elon Musk famously said any company relying on lidar is “doomed.” Tesla instead believes automated driving functions are built on visual recognition and is even working to remove the radar. China’s Xpeng begs to differ.

Founded in 2014, Xpeng is one of China’s most celebrated electric vehicle startups and went public when it was just six years old. Like Tesla, Xpeng sees automation as an integral part of its strategy; unlike the American giant, Xpeng uses a combination of radar, cameras, high-precision maps powered by Alibaba, localization systems developed in-house, and most recently, lidar to detect and predict road conditions.

“Lidar will provide the 3D drivable space and precise depth estimation to small moving obstacles even like kids and pets, and obviously, other pedestrians and the motorbikes which are a nightmare for anybody who’s working on driving,” Xinzhou Wu, who oversees Xpeng’s autonomous driving R&D center, said in an interview with TechCrunch.

“On top of that, we have the usual radar which gives you location and speed. Then you have the camera which has very rich, basic semantic information.”

Xpeng is adding lidar to its mass-produced EV model P5, which will begin delivering in the second half of this year. The car, a family sedan, will later be able to drive from point A to B based on a navigation route set by the driver on highways and certain urban roads in China that are covered by Alibaba’s maps. An older model without lidar already enables assisted driving on highways.

The system, called Navigation Guided Pilot, is benchmarked against Tesla’s Navigate On Autopilot, said Wu. It can, for example, automatically change lanes, enter or exit ramps, overtake other vehicles, and maneuver another car’s sudden cut-in, a common sight in China’s complex road conditions.

“The city is super hard compared to the highway but with lidar and precise perception capability, we will have essentially three layers of redundancy for sensing,” said Wu.

By definition, NGP is an advanced driver-assistance system (ADAS) as drivers still need to keep their hands on the wheel and take control at any time (Chinese laws don’t allow drivers to be hands-off on the road). The carmaker’s ambition is to remove the driver, that is, reach Level 4 autonomy two to four years from now, but real-life implementation will hinge on regulations, said Wu.

“But I’m not worried about that too much. I understand the Chinese government is actually the most flexible in terms of technology regulation.”

The lidar camp

Musk’s disdain for lidar stems from the high costs of the remote sensing method that uses lasers. In the early days, a lidar unit spinning on top of a robotaxi could cost as much as $100,000, said Wu.

“Right now, [the cost] is at least two orders low,” said Wu. After 13 years with Qualcomm in the U.S., Wu joined Xpeng in late 2018 to work on automating the company’s electric cars. He currently leads a core autonomous driving R&D team of 500 staff and said the force will double in headcount by the end of this year.

“Our next vehicle is targeting the economy class. I would say it’s mid-range in terms of price,” he said, referring to the firm’s new lidar-powered sedan.

The lidar sensors powering Xpeng come from Livox, a firm touting more affordable lidar and an affiliate of DJI, the Shenzhen-based drone giant. Xpeng’s headquarters is in the adjacent city of Guangzhou about 1.5 hours’ drive away.

Xpeng isn’t the only one embracing lidar. Nio, a Chinese rival to Xpeng targeting a more premium market, unveiled a lidar-powered car in January but the model won’t start production until 2022. Arcfox, a new EV brand of Chinese state-owned carmaker BAIC, recently said it would be launching an electric car equipped with Huawei’s lidar.

Musk recently hinted that Tesla may remove radar from production outright as it inches closer to pure vision based on camera and machine learning. The billionaire founder isn’t particularly a fan of Xpeng, which he alleged owned a copy of Tesla’s old source code.

In 2019, Tesla filed a lawsuit against Cao Guangzhi alleging that the former Tesla engineer stole trade secrets and brought them to Xpeng. XPeng has repeatedly denied any wrongdoing. Cao no longer works at Xpeng.

Supply challenges

While Livox claims to be an independent entity “incubated” by DJI, a source told TechCrunch previously that it is just a “team within DJI” positioned as a separate company. The intention to distance from DJI comes as no one’s surprise as the drone maker is on the U.S. government’s Entity List, which has cut key suppliers off from a multitude of Chinese tech firms including Huawei.

Other critical parts that Xpeng uses include NVIDIA’s Xavier system-on-the-chip computing platform and Bosch’s iBooster brake system. Globally, the ongoing semiconductor shortage is pushing auto executives to ponder over future scenarios where self-driving cars become even more dependent on chips.

Xpeng is well aware of supply chain risks. “Basically, safety is very important,” said Wu. “It’s more than the tension between countries around the world right now. Covid-19 is also creating a lot of issues for some of the suppliers, so having redundancy in the suppliers is some strategy we are looking very closely at.”

Taking on robotaxis

Xpeng could have easily tapped the flurry of autonomous driving solution providers in China, including Pony.ai and WeRide in its backyard Guangzhou. Instead, Xpeng becomes their competitor, working on automation in-house and pledges to outrival the artificial intelligence startups.

“The availability of massive computing for cars at affordable costs and the fast dropping price of lidar is making the two camps really the same,” Wu said of the dynamics between EV makers and robotaxi startups.

“[The robotaxi companies] have to work very hard to find a path to a mass-production vehicle. If they don’t do that, two years from now, they will find the technology is already available in mass production and their value become will become much less than today’s,” he added.

“We know how to mass-produce a technology up to the safety requirement and the quarantine required of the auto industry. This is a super high bar for anybody wanting to survive.”

Xpeng has no plans of going visual-only. Options of automotive technologies like lidar are becoming cheaper and more abundant, so “why do we have to bind our hands right now and say camera only?” Wu asked.

“We have a lot of respect for Elon and his company. We wish them all the best. But we will, as Xiaopeng [founder of Xpeng] said in one of his famous speeches, compete in China and hopefully in the rest of the world as well with different technologies.”

5G, coupled with cloud computing and cabin intelligence, will accelerate Xpeng’s path to achieve full automation, though Wu couldn’t share much detail on how 5G is used. When unmanned driving is viable, Xpeng will explore “a lot of exciting features” that go into a car when the driver’s hands are freed. Xpeng’s electric SUV is already available in Norway, and the company is looking to further expand globally.

Norwegian corporate training startup Attensi raises $26M from NYC’s Lugard Road, DX Ventures

Corporate training startup Attensi — which originally emerged out of Oslo, Norway — has raised $26 million from New York-based Lugard Road Capital, DX Ventures (a VC fund backed by Delivery Hero), and existing shareholder Viking Venture. The new funding will be used to expand in North America and Europe.

Attensi uses a ‘gamified approach to corporate training, putting employees into 3D simulations of their workplace and work processes. Its competitors include companies like GoSkills, Mindflash SAP Litmos Skilljar.

With the pandemic shifting all office work to remote, digital training platforms like this stand to benefit.

This is also yet another recent example of how US VCs are ‘going hunting’ for startups in Europe, putting pressure on local VCs.

Attensi co-founder and co-CEO, Trond Aas said in a statement: “With gamified simulation training, we have combined the best of workplace psychology with our expertise in simulations and gamification to create a new category of training solutions.”

The company claims it’s experienced a 63% CAGR in annual recurring revenue. Its clients include Daimler Mercedes Benz, Circle K, Equinor, BCG, and ASDA.

Doug Friedman, a partner at Lugard Road Capital, said: “We could not be more excited to be investing in the Attensi team as they work to forever change and improve corporate learning and development through their Attensi solutions.”

How Jamaica failed to handle its JamCOVID scandal

As governments scrambled to lock down their populations after the COVID-19 pandemic was declared last March, some countries had plans underway to reopen. By June, Jamaica became one of the first countries to open its borders.

Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, bringing thousands of jobs to its three million residents. But as COVID-19 stretched into the summer, Jamaica’s economy was in free fall, and tourism was its only way back — even if that meant at the expense of public health.

The Jamaican government contracted with Amber Group, a technology company headquartered in Kingston, to build a border entry system allowing residents and travelers back onto the island. The system was named JamCOVID and was rolled out as an app and a website to allow visitors to get screened before they arrive. To cross the border, travelers had to upload a negative COVID-19 test result to JamCOVID before boarding their flight from high-risk countries, including the United States.

Amber Group’s CEO Dushyant Savadia boasted that his company developed JamCOVID in “three days” and that it effectively donated the system to the Jamaican government, which in turn pays Amber Group for additional features and customizations. The rollout appeared to be a success, and Amber Group later secured contracts to roll out its border entry system to at least four other Caribbean islands.

But last month TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers, and COVID-19 lab test results on close to half a million travelers — including many Americans — who visited the island over the past year. Amber Group had set the access to the JamCOVID cloud server to public, allowing anyone to access its data from their web browser.

Whether the data exposure was caused by human error or negligence, it was an embarrassing mistake for a technology company — and, by extension, the Jamaican government — to make.

And that might have been the end of it. Instead, the government’s response became the story.

A trio of security lapses

By the end of the first wave of coronavirus, contact tracing apps were still in their infancy and few governments had plans in place to screen travelers as they arrived at their borders. It was a scramble for governments to build or acquire technology to understand the spread of the virus.

Jamaica was one of a handful of countries using location data to monitor travelers, prompting rights groups to raise concerns about privacy and data protection.

As part of an investigation into a broad range of these COVID-19 apps and services, TechCrunch found that JamCOVID was storing data on an exposed, passwordless server.

This wasn’t the first time TechCrunch found security flaws or exposed data through our reporting. It also was not the first pandemic-related security scare. Israeli spyware maker NSO Group left real location data on an unprotected server that it used for demonstrating its new contact tracing system. Norway was one of the first countries with a contact tracing app, but pulled it after the country’s privacy authority found the continuous tracking of citizens’ location was a privacy risk.

Just as we have with any other story, we contacted who we thought was the server’s owner. We alerted Jamaica’s Ministry of Health to the data exposure on the weekend of February 13. But after we provided specific details of the exposure to ministry spokesperson Stephen Davidson, we did not hear back. Two days later, the data was still exposed.

After we spoke to two American travelers whose data was spilling from the server, we narrowed down the owner of the server to Amber Group. We contacted its chief executive Savadia on February 16, who acknowledged the email but did not comment, and the server was secured about an hour later.

We ran our story that afternoon. After we published, the Jamaican government issued a statement claiming the lapse was “discovered on February 16” and was “immediately rectified,” neither of which were true.

Contact Us

Got a tip? Contact us securely using SecureDrop. Find out more here.

Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to the unprotected data that led to our first story, which we perceived to be a thinly veiled threat directed at this publication. The government said it had contacted its overseas law enforcement partners.

When reached, a spokesperson for the FBI declined to say whether the Jamaican government had contacted the agency.

Things didn’t get much better for JamCOVID. In the days that followed the first story, the government engaged a cloud and cybersecurity consultant, Escala 24×7, to assess JamCOVID’s security. The results were not disclosed, but the company said it was confident there was “no current vulnerability” in JamCOVID. Amber Group also said that the lapse was a “completely isolated occurrence.”

A week went by and TechCrunch alerted Amber Group to two more security lapses. After the attention from the first report, a security researcher who saw the news of the first lapse found exposed private keys and passwords for JamCOVID’s servers and databases hidden on its website, and a third lapse that spilled quarantine orders for more than half a million travelers.

Amber Group and the government claimed it faced “cyberattacks, hacking and mischievous players.” In reality, the app was just not that secure.

Politically inconvenient

The security lapses come at a politically inconvenient time for the Jamaican government, as it attempts to launch a national identification system, or NIDS, for the second time. NIDS will store biographic data on Jamaican nationals, including their biometrics, such as their fingerprints.

The repeat effort comes two years after the government’s first law was struck down by Jamaica’s High Court as unconstitutional.

Critics have cited the JamCOVID security lapses as a reason to drop the proposed national database. A coalition of privacy and rights groups cited the recent issues with JamCOVID for why a national database is “potentially dangerous for Jamaicans’ privacy and security.” A spokesperson for Jamaica’s opposition party told local media that there “wasn’t much confidence in NIDS in the first place.”

It’s been more than a month since we published the first story and there are many unanswered questions, including how Amber Group secured the contract to build and run JamCOVID, how the cloud server became exposed, and if security testing was conducted before its launch.

TechCrunch emailed both the Jamaican prime minister’s office and Jamaica’s national security minister Matthew Samuda to ask how much, if anything, the government donated or paid to Amber Group to run JamCOVID and what security requirements, if any, were agreed upon for JamCOVID. We did not get a response.

Amber Group also has not said how much it has earned from its government contracts. Amber Group’s Savadia declined to disclose the value of the contracts to one local newspaper. Savadia did not respond to our emails with questions about its contracts.

Following the second security lapse, Jamaica’s opposition party demanded that the prime minister release the contracts that govern the agreement between the government and Amber Group. Prime Minister Andrew Holness said at a press conference that the public “should know” about government contracts but warned “legal hurdles” may prevent disclosure, such as for national security reasons or when “sensitive trade and commercial information” might be disclosed.

That came days after local newspaper The Jamaica Gleaner had a request to obtain contracts revealing the salaries state officials denied by the government under a legal clause that prevents the disclosure of an individual’s private affairs. Critics argue that taxpayers have a right to know how much government officials are paid from public funds.

Jamaica’s opposition party also asked what was done to notify victims.

Government minister Samuda initially downplayed the security lapse, claiming just 700 people were affected. We scoured social media for proof but found nothing. To date, we’ve found no evidence that the Jamaican government ever informed travelers of the security incident — either the hundreds of thousands of affected travelers whose information was exposed, or the 700 people that the government claimed it notified but has not publicly released.

TechCrunch emailed the minister to request a copy of the notice that the government allegedly sent to victims, but we did not receive a response. We also asked Amber Group and Jamaica’s prime minister’s office for comment. We did not hear back.

Many of the victims of the security lapse are from the United States. Neither of the two Americans we spoke to in our first report were notified of the breach.

Spokespeople for the attorneys general of New York and Florida, whose residents’ information was exposed, told TechCrunch that they had not heard from either the Jamaican government or the contractor, despite state laws requiring data breaches to be disclosed.

The reopening of Jamaica’s borders came at a cost. The island saw over a hundred new cases of COVID-19 in the month that followed, the majority arriving from the United States. From June to August, the number of new coronavirus cases went from tens to dozens to hundreds each day.

To date, Jamaica has reported over 39,500 cases and 600 deaths caused by the pandemic.

Prime Minister Holness reflected on the decision to reopen its borders last month in parliament to announce the country’s annual budget. He said the country’s economic decline last was “driven by a massive 70% contraction in our tourist industry.” More than 525,000 travelers — both residents and tourists — have arrived in Jamaica since the borders opened, Holness said, a figure slightly more than the number of travelers’ records found on the exposed JamCOVID server in February.

Holness defended reopening the country’s borders.

“Had we not done this the fall out in tourism revenues would have been 100% instead of 75%, there would be no recovery in employment, our balance of payment deficit would have worsened, overall government revenues would have been threatened, and there would be no argument to be made about spending more,” he said.

Both the Jamaican government and Amber Group benefited from opening the country’s borders. The government wanted to revive its falling economy, and Amber Group enriched its business with fresh government contracts. But neither paid enough attention to cybersecurity, and victims of their negligence deserve to know why.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

Whereby, which allows more collaboration over video calls, raises $12M from Point Nine and 20 Angels

Zoom, Microsoft and Google all rocketed to the top of the charts in the virtual meetings stakes during the pandemic but a plucky startup from Norway had others ideas. Video meeting startup Whereby has now raised $12 million from German VC Point Nine, SaaStr fund and a group of more than 20 angel investors.

Angels investors include Josh Buckley(CEO, Producthunt), Elizabeth Yin (Hustlefund) and Jason M. Lemkin (founder of Saastr).

Øyvind Reed, CEO at Whereby said in a statement: “The past year has led many of us to question the future of work, with video meetings set to remain a big part of our lives. More than ever, the tools we use to connect have to enable effective and enjoyable meetings, providing focus, collaboration and wellbeing. .”

Whereby’s platform has three pricing plans (including free) and allows users to embed tools like Google Docs, Trello and Miro directly in their meetings, unlike other video platforms.

Whereby was demonstrated to me by co-founder Ingrid Ødegaard on a coffee table during 2016’s Oslo Innovation Week. I immediately set-up my username, which has existed even as the startup changed it name from Appear.in. Ingrid told me during an interview that they “tried to be much more human-centric and really focus on some of the human problems that come with collaborating remotely. One of the big mistakes that a lot of people making is just replicating the behavior that they had in the office… whereas we think that you actually need to work in a fundamentally different way. We want to help people do that and by making it really easy to jump in and have a meeting when you need to. But our goal is not to push people to have more meetings, quite the opposite.”

The startup’s secret weapon is enterprise integrations. If you had a video meeting with a UK GP over video in the last year it was probably over Whereby (indeed, mine was!). Whereby won a contract with the NHS for its remote video patient consultations during the pandemic. Competitors for this include Jitsi and AccurX. The company claims it saw a 450% increase in users across 150 countries last year.

“Last year we saw the mass adoption of video meetings,” said Christoph Janz, Partner at Point Nine. “Now it’s about taking the user experience to the next level and Whereby will be leading that charge. It’s amazing to see a Scandinavian startup playing in the same league as the tech giants.”