Insight Partners, a mega venture capital firm with more than $90 billion in funds under management, fears network intruders got their hands on internal sensitive data about employees, portfolio companies, investors, and more.
In February, the biz informed folks that some miscreants had performed a “sophisticated social engineering attack” and gained access to Insight’s servers. Insight said it detected the security breach on January 16, and third-party cyber-investigators were drafted in to determine what data, if any, had been accessed.
This week, Insight issued an update. “Based on our investigation to date, we understand that the impacted data may include certain fund, management company, and portfolio company information, banking and tax information, and certain personal information of our current and former employees, as well as information related to our limited partners,” it said in a statement. Limited partners (LPs) are the big passive investors that plow money into VCs, who then use the dosh to discover and invest in promising upstarts.
Most startups fail, but if one or two turn into the next Google, everybody in the value chain wins big. So most VCs strive to keep this kind of competitive financial information close to the vest.
Insight doesn’t state if the information in question was stolen or just viewed. The outfit said it had already updated current staff and LPs, and would notify other affected parties on a “rolling basis.” It gave the fairly standard advice to affected parties: Change personal and enterprise passwords as a precaution, use multi-factor authentication, consider a credit freeze, and so on.
The VC firm has over the years held significant stakes in a variety of tech firms, such as Twitter, Wiz, Hootsuite, SentinelOne, and Recorded Future. Information about these companies, as well as other potential startup investment targets, could be valuable to competitors and other investors. But perhaps more worryingly, it could set up the intruders to pull off some sophisticated business email compromise (BEC) scams.
BEC is a $55 billion problem worldwide, according to the FBI. It often starts when criminals get hold of people’s work email addresses or phone numbers in an organization. The crooks then typically fool these employees by pretending to be senior management and getting them to redirect funds to shell companies set up by the fraudsters. The more information the attackers have about a company’s business – such as invoices, account information, business partners, suppliers, and so on – the more convincing they can make these scams.
The rise of AI deepfakes has made such scams even easier to pull off. Last year the FCC issued a warning that the use of convincing deepfaked audio is on the rise, and in Hong Kong a finance executive was reportedly convinced by a deepfake video of the company’s CFO to wire $25 million to unknown persons. And the cost of those deepfakes is only coming down. ®
