Enterprise tech's insecurity complex

Welcome to Runtime! Today: A pair of security incidents show why corporate obsession with magical generative AI toys should wait, why CoreWeave's latest funding round shows that it probably won't, and the latest moves in enterprise tech.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

How long must we sing this song

Writing about enterprise cybersecurity sometimes feels like being in a really weird and nerdy version of Groundhog Day, where everyone says the same things over and over again and nothing changes. This week saw a repeat of the same cycle, as a prominent vendor disclosed a serious breach of user information and the CEO of a $450 billion company dodged questions about its failure to adopt some very simple security practices.

On Wednesday, Dropbox revealed that a "threat actor" had compromised Dropbox Sign, a product built by the former HelloSign team that allows businesses to execute contracts. The breach occurred on April 24th, according to the company, one week before it disclosed the incident to the SEC in a filing.

• The good news is that Dropbox does not believe that the breach involved any actual contracts or documents — which would have been a disaster for its customers — and that the breach did not spread to Dropbox's core infrastructure.
• The bad news is that more sensitive personal information is once again floating around hacking circles, including "emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication," according to Dropbox.
• Dropbox Sign reset passwords and is helping customers rotate their API keys and OAuth tokens, but it's not clear how many customers may have been exposed as that process took place.
• "We have not determined that the incident is reasonably likely to materially impact our financial condition or results of operations," Dropbox said in the SEC filing.

While Dropbox Sign users were scrambling to deal with that incident, UnitedHealth CEO Andrew Witty was scrambling to answer questions about the massive Change Healthcare breach before a Senate committee the same day.

• Witty confirmed that UnitedHealth paid $22 million in ransom to the group that stole personal data belonging to nearly one-third of all Americans, "adding that however there was no guarantee that the breached data was secure and could not still be leaked," according to Reuters.
• “The decision to pay a ransom was mine,” Witty said, according to CNBC. “This was one of the hardest decisions I’ve ever had to make, and I wouldn’t wish it on anyone.”
• No one appears to have asked Witty why he paid the ransom despite the fact that nearly any security or ransomware expert on the planet recommends the exact opposite approach, because trusting criminals to honor their promises is like complying with the wallet inspector.
• However, Oregon Senator Ron Wyden (who represents Runtime) did warn CEOs of large conglomerates who want to acquire other large companies in the future that they might need to prove they can secure networks that store information belonging to millions of Americans.

As the security community gathers in San Francisco next week for RSA, the past week makes it clear that its work matters so much more to the short-term well-being of the economy than ever before.

• Generative AI can be a useful tool for security professionals, as we covered last year, but the companies spending millions of dollars trying to automate call-center professionals might be better off spending a fraction of that money making sure they've implemented basic security procedures.
• This is especially true at companies in the so-called "critical infrastructure" category, which includes UnitedHealth.
• Few people miss the days of paper record-keeping, even though people could still get their prescriptions filled if somebody broke into a healthcare company's Iron Mountain locker 20 years ago.
• That's the challenge: Security incidents are going to happen because human beings make mistakes, but security companies, practitioners, and regulators need to work together to design more resilient systems that ensure that a single incident doesn't impact one-third of the country.

Rent seeking

Few companies in recent memory have pivoted as nimbly as CoreWeave, which turned the lemons created by the collapse of the crypto market in 2022 into the lemonade of the generative AI boom in 2023. The Jersey-est startup in enterprise tech raised another $1.1 billion in funding this week, taking its valuation to $19 billion, which is more than Elon Musk's failed social-media experiment is worth these days.

CoreWeave rents Nvidia GPUs to companies training AI models, and business has been brisk. "It's been pretty wild," Brian Venturo, now the chief strategy officer at CoreWeave, told Runtime a year ago, and even though a fair amount of the generative AI hysteria has calmed down renting GPUs is still a seller's market.

The Next Platform estimated Thursday that companies renting GPUs stand to make more than six times their investment in procuring GPUs over time, which means CoreWeave and competitors like Lambda are sitting on a ton of potential business. Obviously the Big Clouds are competing for that business as well, but according to Omidia, as of late last year CoreWeave had nearly as many top-tier Nvidia GPUs as AWS.

Enterprise moves

Dennis Woodside is the new CEO of Freshworks, replacing founder Girish Mathrubootham, who will become chairman of the enterprise SaaS company.

Rick Berger is the new CEO of Rootstock Software, joining the manufacturing software company from NewStore.

Jennifer Leggio is the new COO of Tidal Cyber, after serving as an advisor to the threat-management company for the last eight months.

Lynne Doherty is the new president of field operations at Sonar, following more than two years in a similar role at Sumo Logic.

The Runtime roundup

Cloudflare reported a 30% jump in revenue and beat Wall Street expectations, but the day traders were unimpressed by its second-quarter forecast falling just short of their expectations.

Oracle rolled out new AI features to its flagship database, allowing companies to search that data with natural-language inputs.

MongoDB also updated its Atlas database with AI in mind and added its vector search capabilities to AWS's Bedrock platform.

Amazon announced that it would adopt Crowdstrike's security products across its massive infrastructure, including AWS.

Two prominent Israeli weapons manufacturers are required to purchase cloud services from AWS and Google Cloud, according to The Intercept.

Enterprise generative AI apps are "unsexy," according to Wired, a publication that recently asked the question "What if your AI girlfriend hated you?"

Thanks for reading — see you Saturday!