paint-brush
Data Leak of $1B “Tech Unicorn” Gorillas Shows How Far Venture Capital Has Fallenby@netsecinvestigator
2,040 reads
2,040 reads

Data Leak of $1B “Tech Unicorn” Gorillas Shows How Far Venture Capital Has Fallen

by Netsec InvestigatorJune 8th, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

An investigation by German IT Collective Zerforschung found that the tech infrastructure of Gorillas leaks like a sieve. Customers' data was easily and publicly accessed, including names, email addresses, phone numbers, order details, physical addresses, and photos of the customers’ front doors taken by delivery workers. Gorillas is the latest in a wave of quirky-named food delivery startups spreading across Europe and poking its tendrils towards the US. Investors include the VC firm Fifth Wall, Atlantic Food Labs, and Chinese tech conglomerate Tencent.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Data Leak of $1B “Tech Unicorn” Gorillas Shows How Far Venture Capital Has Fallen
Netsec Investigator HackerNoon profile picture

In a world where civil unrest and economic uncertainty are on the rise amid a worldwide pandemic, venture capital firms still find ways to throw ridiculous amounts of money at trendy startups. If you haven't heard, Gorillas is the latest in a wave of quirky-named food delivery startups spreading across Europe and poking its tendrils towards the US.

Having raised over $335 million USD to date, Gorillas is currently valued at over $1 billion USD. Investors include the VC firm Fifth Wall, Atlantic Food Labs, and Chinese tech conglomerate Tencent, an interesting choice considering the lack of proprietary technology and rampant security issues plaguing Gorillas.

An investigation by German IT Collective Zerforschung found that even with over $300 million in cash, the tech infrastructure of Gorillas leaks like a sieve.

Customer data was easily and publicly accessed, including names, email addresses, phone numbers, order details, physical addresses, and even photos of the customers’ front doors taken by delivery workers.

Also available were API keys for their SendGrid mailing provider (meaning attackers could send phishing emails and malware to customers from official Gorillas email addresses), as well as for the company Slack channel (meaning attackers could send similarly disruptive messages to employees).

How, you may ask, does a “tech unicorn” (and by extension, its investors) manage to screw up this badly? The answer is a two-parter.

First, Gorillas doesn’t actually make its own software.

They white label an existing courier software created by Lebanese software developer Eddress. This means that they have no direct control over the software, its security, and by extension its customers data. Gorillas is a billion-dollar “tech company” without the tech.

Secondly, nobody asked. Even a superficial attempt at due diligence from the investors would have made it glaringly clear that there are some serious problems with security, accountability, and tech infrastructure at Gorillas.

But today with VC money spilling out onto the streets, being fast and being first has become more important than fundamental value, it seems like nobody has time for crossing their T’s and dotting their I’s anymore.

The underlying issues don’t stop there.

While numbers haven’t been made public, CEO Kağan Sümer has said in an interview with entrepreneurial podcast OMR that the company needs a significant increase in average order size to reach profitability. On top of that, the lack of proprietary tech infrastructure makes increasing losses through food waste and delivery logistics an inevitability as the company grows in size and increases the number of their warehouses around the world.

Gorillas, however, is simply the symptom of a disease of culture, attitude, and strategy that permeates the modern tech sector.

It’s not the first pump-and-dump tech unicorn propped up by investor money, and it won’t be the last. Value investing and proper due diligence has taken a backseat to investor FOMO and it shows.

Until the industry matures enough to realize that short-term profits and quarterly shareholder reports aren’t a substitute for well-built companies with long-term growth, we’ll keep seeing the same old story of data leaks and ivory towers built on an illusory foundation. And the users, as always, get the short end of the stick.