Private Equity Gave Your Bank Password to Hackers
Francisco Partners and Evergreen Coast Capital Corp own LastPass. They raised prices, and then fumbled security. You had one job guys!
Welcome to BIG, a newsletter on the politics of monopoly power. If you’d like to sign up to receive issues over email, you can do so here
Last year, I noted that LastPass, a beloved password manager for consumers, engaged in an extortion scheme against its customers.
LastPass has encouraged millions of people to replace weak passwords on retail websites, internet banks and other online services. Instead, the software handles authentication automatically using long, complex passwords that are impossible to guess — or remember.
Two investment firms, Elliott Management and Francisco Partners, acquired the service as part of their $4.3bn buyout of internet software group LogMeIn in September last year.
Now, the app is warning users that they must pay as much as $36 a year if they want access to those cumbersome passwords on all their devices.
The reason is that LastPass had been purchased by two private equity firms, Francisco Partners and Evergreen Coast Capital Corp. Typically, PE firms raise prices, lower quality, harm workers, and reduce customer service. This particular pricing move sparked a backlash from customers, and the two PE firms pledged to spin off the company and make it independent. But that hasn’t happened.
And now there’s some new information about the lovely management of LastPass. Apparently hackers have stolen encrypted password vaults, which means that users of LastPass are now vulnerable and must change every single password they have. Poor quality is common within private equity owned software firms, which means cybersecurity vulnerabilities quickly follow. We’ve seen this with PE-owned software firms facilitating the hacking of the NYC subway, nuclear weapons facilities, and criminal ransomware.
At this point, it’s time to recognize that ownership and management of software firms by private equity is itself a security risk.
Two interesting takes this, first, Southwest Airlines', Christmas Meltdown Shows How Corporations Deliberately Pit Consumers Against Low-Wage Workers
Our system is set up to create mutual antagonism between members of the working class. Meanwhile, faceless corporate executives remain shielded like mob bosses.
https://open.substack.com/pub/thecolumn/p/southwest-airlines-christmas-meltdown?utm_campaign=post&utm_medium=web
Secondly Ticket Master - to quote one of the comments "In court, Ticketmaster said it had no problem being “Ticket Bastard”. It was part of their offering to the artists, venues and promoters."
https://youtu.be/Kr8AFb-fo_M
I don’t think it’s much of a stretch to extend the logic behind “the ownership and management of software firms by private equity is itself a security risk” to all businesses as a national economic security risk, inasmuch a private equity seems to be the apotheosis of business short-termism. (At least, if you’re so short-term focused that outright looting seems A-OK.)
Also, I ding that FT writer for an absolute failure to understand the threat model under which password managers work via dank phrasing ala “– or remember” and “cumbersome”. The entire point of a password manager is that humans, even those who are statistically *really good* at remembering passwords, are actually terrible at remembering truly strong attack-proof passwords. If your password manager is just holding a bunch of easy-to-remember passwords, it’s *pointless* in the face of real-world threats.