Welcome to the Cyber Sizzler - the only cybersecurity newsletter that helps everyone from analysts to CEOs get 2% better every day.

We're the John Dutton of cyber newsletters, we'll do whatever it takes to make everyone from CEOs to analysts 2% better every day.

Hey, want to know a little secret? If you share this newsletter with just two of your buds, you'll gain access to our exclusive Cyber Sizzler database. It's like a secret club, but without the weird handshakes. Simply share this email, reply to us and ask for access - done. 

ON DECK FOR TODAY

• DUMPSTER FIRE: Activision exploits CPRA

• CACHING IN: Metomic boosts funding w/ another $20M

• JALA-MEME-ÑOS: 

DUMPSTER FIRE

Eyebrow raising breaches that you already know about, but with our 🌶️ added

Activision

• Affected: 1 employee phished, all Activision employees data stolen. Hard to say how many due to being rolled up under Microsoft

• Dwell time: Unknown. 🐠’d on Dec 4, 2020, but the security team “swiftly addressed” it, whatever that means

• Notification time: Data leaked on Feb 19, 2023. Company kept it under wraps until employee data popped up for sale. For reasons…

• Identity monitoring: None 🙄

Insider Gaming appears to have covered this first, followed up by many others.

And for the second day in a row we find ourselves needing to parsing words.

Activision sent the following to TechCrunch:

Activision states “no sensitive employee data” was accessed.

But per Insider Gaming, full names, corporate emails and phone numbers, job opening offer amounts, places of work, and more were stolen.

So, what gives?

Activision is going by the book when it comes to data classification.

Okay, bear with us while we wade through weeds thicker than the crazy cat lady's house on the corner.

Ok, here we go.

As a California-based company, Activision is governed by the California Consumer Privacy Act (CCPA), which until 2020, didn't treat Personal Information any differently than Sensitive Personal Information.

For clarification, sensitive data such as social security numbers and health records is different from regular personal information, but under CCPA, it was treated the same.

In 2020, the California Privacy Rights Act (CPRA) went into effect to correct this issue. 

As part of this classification, 'the contents of a consumers' mail, email, and text messages, unless the business is the intended recipient of the communication,' are considered sensitive personal information under CPRA.

A key point is that most of CPRA was not implemented until January 1, 2023.

This date is significant because it means that Activision, according to Insider Gaming reports, can now state that 'no sensitive employee data' was accessed after that date because the “contents of email” was not accessed.

That’s some real lawyery stuff…

If Activision had rushed to announce the compromise of their systems before January 1, they would have had to disclose that personal identifiable information (PII) was accessed regardless of the type.

Why? Because as mentioned above, there was no differentiation between sensitive and non-sensitive data prior to that date.

But now, Activision gets to spin it to their favor make it look like nothing all that bad happened.

So, where does that leave us?

It sure seems like Activision slow dragged this one so they could hide behind the CPRA, which clearly wasn’t designed for this purpose.

Now that the playbook is out there, it’s only a matter of time before others follow suit.

CACHING IN

Metomic

• RAISED: $20M (Series A)

• DATE: February 21, 2023

• LED BY: Evolution Equity Partners

• PARTICIPATED: Resonance, Connect Ventures

• CEO: Rich Vibert

• WHAT: SaaS DLP

Our take

Data Loss Prevention (DLP) has been around since Nickelback subjected us to How You Remind Me, and is probably liked by the same people.

The players in the industry are even older. McAfee brought us the first DLP product, followed up by Symantec, RSA, and a handful of others.

Add onto the fact that DLP solutions are notoriously difficult to setup, finicky as a fox to configure, and can require significant resources to maintain.

Right about now you’re probably saying,

We won’t! 🤣

That’s where Metomic comes in. They’re aiming to disrupt the industry dominated by established players, and they recently secured new funding to help them do just that.

We like Metomic's ambition and swagger. They've got a solid list of integrations, although it's clear that they're targeting a smaller customer profile at the moment.

To really succeed in the enterprise market and achieve a high average revenue per user (ARPU), they'll need to add more big-name integrations to their arsenal, like Microsoft and other industry giants. If they can't do that quickly enough in-house, partnering with a company like Paragon could be a smart move for them to generate faster returns.

Hey Rich, we’d love a demo 🌶️

Jala-meme-ños

🌶️ 🤣

TALL GLASS OF MILK

Time to cool down with a tall glass of milk. Thanks for reading! We'll be back tomorrow. In the meantime, feel free to reach out if you have any questions or feedback. Keep crushing it!

AFTERBURN

#motivation