Project Svalbard, Have I Been Pwned and its Ongoing Independence

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible. It wasn’t something I could have seen coming nor was it anything to do with HIBP itself, but it introduced a range of new and insurmountable barriers. So that’s the tl;dr, let me now share as much as I can about what’s been happening since April 2019 and how the service will operate in the future.

In the Beginning, There Were 141 Companies

According to the lock screen, I took the photo below at 04:49 on the 24th of July last year. I was in yet another bland, nondescript hotel room, drinking bad coffee in an attempt to stave off the jet lag. I’d arrived in San Francisco a few days earlier after barely making my connection in Helsinki, literally running through the airport. My bag hadn’t made it. I was tired, alone, emotional and if I’m honest, at an all-time low. I snapped this pic to remind me how much energy I was pouring into the project when I came out the other side, whatever the outcome may be.

One day I’d really like to turn this whole experience into a conference talk because it’s a fascinating story, but for now I want to try and give a sense of just how intense the last 11 months has been, starting with the heading above. Per the Project Svalbard announcement blog post, I engaged KPMG to run the merger and acquisition (M&A) process for me. Between their outreach to suitable organisations and the inbound requests from others after writing the announcement blog post, we spoke to a total of 141 different companies from around the globe. (The total number of organisations under consideration was actually significantly higher than that, but we culled all those we didn’t consider “Tier 1” or in other words, highly likely to be a good fit for HIBP.) These were companies spanning all sorts of different industries; big tech, general infosec, antivirus, hosting, finance, e-commerce, cyber insurance – I could go on. The point is the net was cast very wide.

We whittled the original 141 companies down to the 43 that were best aligned to the goals I outlined in the original blog post. As I’ve said throughout this process, the decision around who I wanted to entertain as a bidder for the service was always going to be mine and mine alone so I culled companies that I didn’t believe should have responsibility for the sort of data HIBP has, that wouldn’t shepherd the service in the direction I believed it should go or were simply companies that I didn’t want to work for. That last point is critical – it was repeated over and over again by every single organisation we discussed it with that a sale of HIBP was also a sale of me for many years to come. I would be an employee. I’d fly the company flag. I’d need to support their vision. That was only ever going to happen with a company that I wanted to devote many years of my life to. So, in late July I flew to San Francisco and spent a couple of weeks meeting with those 43 companies, KPMG guys in tow. It all felt a bit, well…

Seriously, I vividly remember after one early meeting on-premise with a tech company, walking out of the building with the KPMG guys laughing about how much it felt like an episode of Silicon Valley! Over and over again, we’d go to these meetings and sit across the table from characters that could have come straight out of the show. The Russ Hannemans, the Gavin Belsons, the Lori Breens and here’s me, feeling all Richard Hendricks. I hope I was a bit more articulate than Richard, but I was someone fronting up and presenting my pride and joy to strangers who I hoped would share the same enthusiasm for it that I did. I make the Silicon Valley comparison only partly tongue-in-cheek because it was absolutely uncanny how true the experiences tracked to the comedy.

The 43 companies we met with all received an information memorandum (IM):

An Information Memorandum (IM) is a package of documents created by business owners for prospective buyers. The primary mandate of an Information Memorandum is to motivate potential investment into your business. Although this package is designed to draw the interest of prospective buyers, it dually serves the purpose of transparency. Owners should avoid exaggeration, and aspire to disclose any information that will materially affect the value of the company.

In other words, you’re trying to provide as much information as possible about the business so that potential purchasers can simultaneously understand what it does, see where the future potential is, foresee any risks, value it and ultimately put forward a bid.

Tangentially to the IM, one thing that worked in my favour when it came to providing information about how HIBP operates is that because I’ve run it with such transparency for so long, a lot of questions had already been answered publicly. For example, I was regularly asked if I’d ever received any legal threats which is apparently pretty normal for any M&A process, but you can imagine why it’d be particularly interesting when dealing with a heap of data originally obtained via illegal methods. No, I’ve never received any legal threats of substance (for example, I’ve never received a letter from a legal representative threatening to take action against me), the closest example I could think of I’d already included in one of my talks (deep-linked to the “high priced lawyers” point in the video):

I never heard anything further from Adult Fan Fiction 🙂

The IM description goes on:

Information Memorandums tend to be very exhaustive as they should include items relating to the financial standing, assets and liabilities, business description, market position, clients, strategies and promotion methods, markets served, etc. of the company.

“Exhaustive” doesn’t even begin to explain the effort that went into the Project Svalbard IM. We spent months preparing the document, regularly working until all hours to flesh it out as comprehensively as possible.

Looking back through the IM now, it had everything from traffic stats to revenue to assets to debts (none!) to customers to noteworthy events since conception to a slide on “Industry Tailwinds” talking about how big cyber is becoming (that hurt a little bit to put my name on, so much cyber…). Here’s a page from it that was intended to pimp my own personal credentials:

This was another really unexpected part of the experience – how people perceived me personally and put a value on my brand. I was really conscious that the companies weren’t bidding for HIBP, they were bidding for me running HIBP so a significant part of the purchase price was quite literally a dollar figure on my head. A little while back I had a discussion with someone who wanted to collaborate as they weren’t getting the traction they wanted when pitching their own product to major tech firms. He made the following comment about trust:

I kid you not, was in a meeting at [big tech company] HQ in [HQ location] and a comment was made to the effect that “there is only one service they trust as a white hat (Troy and HIBP) and I’m like “fuck how does one guy corner the market on trust?”

This is what the organisations bidding on HIBP were buying: trust in me. Anyone can cobble together a website with some APIs and load in a ton of data breaches, but establishing trust is a whole different story. Trust in the way I run the service is an absolutely pivotal part of HIBP and it’s something I built organically rather than setting out to earn it, now here I was with big companies putting a value on it. That felt weird in a way I’ve never experienced before, certainly not like in times gone by where I’d interviewed for jobs. But then it was also an exciting time where I’d walk into a meeting with a company and they’d be so enthusiastic to meet me in person after following me for years so we’d do selfies, hand out HIBP stickers and then settle into serious business discussions. It was surreal.

Reflecting on the Process in August

Time and time again throughout Project Svalbard, I questioned whether it was the right thing to do. The motives were right in that it was first and foremost for the sustainability of the project so I wasn’t concerned about that, but was selling HIBP genuinely the best path forward? Was this the future I wanted? Of course, I’d considered all that before making the decision to go down this path, but nothing could prepare me for the actual emotions felt once I was eyeball-deep in the M&A process.

I had a seminal moment just after all the San Francisco meetings as I was making my way over to the Black Hat and Defcon conferences in Vegas. The in-person meetings had wrapped up but that didn’t stop a never-ending stream of teleconferences (I destroyed the batteries on a set of AirPods just from Project Svalbard teleconferences). I was parked in my rental car talking to the guy who’d be my boss if the large tech company he worked for emerged as the successful bidder. He asked a question – a perfectly reasonable interview question – but it sent chills down my spine:

So Troy, explain to me what your perfect day in the office would look like.

I kid you not, the immediate thought that popped into my mind was “I get up, get on my jet ski then do whatever the fuck I want”. I can’t remember exactly how I answered the question, but I can remember how it made me feel and it was pretty damn uncomfortable. The last “job” I had I absolutely hated by the end of it. My boss was an arsehole (there was broad consensus on that noun), but I stuck it out and dealt with it until circumstances were such that there was a better path forward; ultimately, a redundancy with a nice payout (I cover this in my Hack Your Career talk). I love my life of independence and whilst I was prepared to work for a company again, it had to be the right company and this just felt… wrong. Many of them felt wrong.

Only a day later I received an email that reminded me how important HIBP was not just for me, but for an untold number of other people:

I asked Cody at the time if he’d mind me sharing this at a later date then dropped it into this draft blog post. I didn’t know what the post would say at the time, it was either going to announce a successful bidder or announce that HIBP would remain an independent project. Either way, this email was going in there to reinforce how important the trust of those who use HIBP is to me. Whatever the outcome, I wasn’t going to do anything to let the Codys of the world down.

Then I got to Vegas. I wandered the conference halls with Scott Helme for a week and time and time again had complete strangers come up to me and thank me for HIBP (they also constantly asked who the fuck the other guy was which brought a much-needed smile to my face 😊). It happened dozens of times, often with much excitement, selfies and exchanges of radio waves across Defcon badges. After one such encounter, I added the following to the draft blog post with Cody’s email and I’m reproducing it here precisely as I wrote it in the midst of the M&A process 7 months ago now:

I remember one discussion in particular where the guy was talking so sincerely about his appreciation and I just started thinking “what am I doing – can I really sell this thing?”

What those experiences in August did was help me crystallise priorities. I was still determined to see the process through, but I gained a greater appreciation for just how important it was to find the right organisation. I left Vegas feeling like HIBP was much bigger than just me.

Non-binding Bids

Of the 43 companies that received the IM, a subset of those then submitted non-binding bids which essentially means “here’s the deal we’d like to do, but there’s a heap of due diligence we need to do yet before making a binding commitment”. I’m going to be a little vague on that number as I honestly can’t remember what I represented to each of these organisations in terms of levels of interest due to the way the bids trickled in. There was a very clear timeline to submit bids given to each potential suitor, but many of them missed it not just by hours or days but in some cases, even weeks. Unsurprisingly, some organisations elected not to submit bids at all and that was really the aim of the IM; to filter out those who were serious with proceeding from those who wouldn’t ultimately be suitable. We had to ensure the 43 who received the IM was significantly chopped down.

The non-binding bids were the first time we started to get a true sense of how the various organisations valued the service. It wasn’t just the headline value either, it was how much of it was comprised of cash versus equity and over what period of time it would be paid, which brings me to a really key factor in all of this: golden handcuffs. A consistent theme across all the bidding companies was that they wanted me locked in for years and if I changed my mind part way through, I’d pay for it big time. I expected that – it wasn’t news to me – but I’d be lying if I said it didn’t worry me once I started seeing it in writing. If I entered into one of these agreements then, for example, decided I didn’t like a strategic change in direction the organisation took and decided to leave, I’d no longer have HIBP, I wouldn’t be able to do anything similar for years due to non-compete clauses and I’d be financially penalised massively. That weighed more and more heavily on me as things progressed.

The non-binding bids helped us further chop down the list of suitors. There was a massive spread of valuations. Some companies wanted me to perform roles I wasn’t comfortable with. Some wanted me to permanently relocate overseas. I hadn’t ruled out relocation at the beginning of the process, but there were enough organisations happy for me to be anywhere that it left plenty of options open without giving up my Gold Coast lifestyle (seriously, just look at this place!)

Exclusivity: Then There Was One

Apparently, the way these M&A processes run is that as you really get down to the wire with the final bidders, eventually someone will ask for exclusivity. This grants them a window of time in which they can do extensive due diligence to the exclusion of all other bidders. That might sound a bit selfish on the face of it, but as I’d soon learn this can be a very laborious, drawn out and expensive process. A bidder who believes they’re in with a good shot wants to make sure they can make that investment and have a high likelihood of coming out as the victor.

And so in September, we granted exclusivity to a bidder. Now, I’m going to be extra careful here with the words I use because even though there wasn’t ultimately a sale, I signed off on all sorts of confidentially terms which prohibit me from sharing anything that might indicate who this bidder was, how much the bid was for or what the terms of the bid were. I hate to be vague (I’m usually super transparent on these things), but I’d also hate to disrespect the privacy of this organisation or land myself in hot water legally. What I will say is that it was a company that met all my criteria both as outlined in the original Project Svalbard post and so far in this one. It was a company I respected and one I had confidence would help me take HIBP in the right direction.

And so began the extensive due diligence. KPMG had warned me about this phase right at the beginning of the process and from memory, the word they used was something akin to “onerous”. Let me try and give you a sense of just how true that word was by way of examples and I’m going to pick a handful not just from the company that had exclusivity, but from some of the earlier 43 as well. Among literally thousands of other requests (seriously – the total number was four figures), I was asked for:

  1. Minutes of all meetings of the board (remember, HIBP is a one-man show)
  2. Documented processes for when a mobile device reaches end of life (uh… I factory reset it and give it to the kids?)
  3. “Documentation of the Company’s technical operations, including but not limited to platform capabilities, database servers, data center operations, network infrastructure, IT policies, SLA’s provided to customers, back-up/redundancy plans, and emergency/disaster recovery procedures”

I copied and pasted that last point verbatim – can you imagine how much information needs to go into a response to a question like that?! How HIBP runs across the various Azure services, the Cloudflare dependencies, how I recover if things go wrong and then how that’s managed across different autonomous parts of the project such as the HIBP website, the Pwned Passwords service etc etc. This just isn’t the sort of stuff you document in a pet project so everything had to be done from scratch.

What I was being asked for during this extensive due diligence phase wasn’t coming from the folks I’d initially spoken with in the lead up to their non-binding bid, rather from the leagues of business development and legal folks behind them that needed to get involved in this process. They didn’t know who I was, had likely never heard of Have I Been Pwned before this exercise and if I was to take a guess, wouldn’t have even known how to pronounce it. But M&A was what they did and they were simply asking all the sorts of questions they would in any other M&A process so I can’t begrudge them that. Problem is, it’s one thing to get hit with those questions when you’re part of a team of people, but it’s a whole different thing when you’re one bloke on his own.

I don’t think I’ll ever be able to sufficiently explain all the emotions I felt during this phase of the process. It was an endless series of questions, meetings and if I’m honest, frustration. At one stage, I sat between lawyers arguing backwards and forwards as to whether or not I was a sophisticated investor up to speed with American Securities and Exchange Commission law and if I wasn’t, “the deal’s off”. I got a bill for that argument.

This went backwards and forwards for months. Every time we thought the whole thing was done there’d be more questions. More delays. Until it was over.

Then There Was… Zero

The news came very recently. Keeping in mind my previous point regarding confidentiality and choosing my words carefully, the circumstances that took the bidder out of the running was firstly, entirely unforeseen by the KPMG folks and myself and secondly, in no way related to the HIBP acquisition. It was a change in business model that not only made the deal infeasible from their perspective, but also from mine; some of the most important criteria for the possible suitor were simply no longer there. Collectively, we agreed to put pens down.

After many months of exclusivity with a single organisation and going through crazy amounts of due diligence, the effort involved in scrolling back to the September time frame and starting it all again with another organisation would have been enormous. I also didn’t want a situation where I compromised my own principles; the organisation we’d identified as the best possible fit was precisely that – the best possible fit – and all other candidates would mean making concessions I simply couldn’t justify. Besides, as this exercise had already demonstrated, there are absolutely no guarantees in this process and going back to square one could very easily result in many more months of effort and no outcome to show for it.

So we wrapped it up, I got the single largest bill I’ve ever received in my life and then I sat down and started writing this blog post. In doing so, I stopped for the first time since April 2019 and reflected on how much had happened during the process.

A Lot Happens in 11 Months

I onboarded 5 new governments onto HIBP: Austria, Ireland, Norway, Switzerland and Denmark (and a 6th one about to be announced any day now).  I loaded 77 new data breaches comprising of 1.7B records into HIBP and signed up almost 400k more individual subscribers to the service. I built and launched the authenticated API and payment process (I really should have doe this earlier, I’m so happy with it!)

On a more personal note, I joined the likes of Bruce Schneier, Eugene Kaspersky and Alan Turing (Alan Turing!!) in the Infosecurity Hall of Fame. I spoke at CERN. I visited 2 new countries for the first time (Israel and Hungary) and keynoted events there, plus a heap of talks in more familiar places, a bunch of workshops, I still wrote blog posts and somehow – miraculously – never missed a weekly video.

On the M&A front, I had to learn about normalised EBITDA, revenue multiples and ARR. I met literally hundreds of people in person regarding Project Svalbard during both the San Francisco meetings and travel to other parts of the US and the world.

During all of this, I still had to run HIBP in a “business as usual” fashion. I still manually verified every breach, hand edited every logo of a pwned company, issued (and chased) every invoice, did the tax returns and prepared the business activity statements. In other words, all the stuff I’d always done for years still had to be done regardless of how menial it was, none of that went away. I’m detailing all of this here to help explain what I need to do next…

So, What’s Next for HIBP and for Me?

To be honest, I need some time to recover. What I’ve explained in this post will never adequately illustrate just how stressful this process was. I need some time where I’m not waking up dreading how much work will have landed in my inbox overnight. I need some time to write more code and more blog posts, two things that remain my passion but had to take a back seat during this process. I’ll still keep running HIBP as I always have, but I need the head-space to get my energy levels back up and plan the next phase. I’ve (almost entirely) cleared my calendar for the next few months to give me that much-needed time out and with coronavirus causing a heap of conferences to be cancelled and travel plans to be disrupted, it’s probably not a bad time to stay home anyway.

Having said that, there are things that have become abundantly clear during the M&A process that I’m confident will feature in that next phase. I need more support, for one. I can’t be the single person responsible for everything so I’ll be considering the best way to start delegating workload. That’ll not only help me run the service as it stands today, but it’ll help me expand it to do so many of the things I’d wanted to in a post-acquisition world. It’ll also allow me to work towards no longer being the single point of failure; there has to be a contingency plan for if I get taken down in a freak drop bear accident.

One of the things I’m really excited about is a concept I’ve had bubbling away in the back of my mind for a couple of years now about how the industry as a whole can better tackle the flood of data breaches we’re seeing. I floated this idea past each of the companies I met with during Project Svalbard and the support for it was overwhelming, even from those organisations that knew very early on they wouldn’t be bidding. For those reading this that were part of those discussions, I’m determined to make it happen this year and I will be in touch!

Another area I expect to focus on a lot more is to leverage the more formal relationships I established during the process with governments, regulators and law enforcement. It’s an interesting time right now where there’s clearly a lot of support for HIBP and the way it operates, but also a lot of focus on privacy and people having control of their own data which poses some interesting challenges. Here’s a simple example of the paradox I want to tackle with these groups: we all want privacy but we also all want to know where and how our data has been exposed and what the data is, how do we achieve both objectives? It’s non-trivial for many, many reasons, but it’s also important and HIBP has a role to play in the solution.

The list of all the things I want to tackle in the post-Svalbard era is lengthy and that’s also why I need the downtime: to be able to focus, prioritise and take HIBP forward with more enthusiasm and energy than ever.

Summary

I saw a comment only last week on my traffic spike blog post that really brought home how much I love running this project:

You’re living the dream and you make it look good Troy.

I love what I do. This is a fascinating industry that continues to challenge me in all sorts of ways I never expected and there’s not been a moment where I’ve felt bored or uninspired by it. To be able to continue running HIBP and shepherding it forward remains the dream, regardless of who owns it. So, I’ll finish this blog post on the same note I finished the last Project Svalbard one:

I’ve made this decision at a time where I have complete control of the process.

And so it remains today and for the foreseeable future, with HIBP as an independently operating service designed to do good after bad things happen. Thank you for reading this far, thank you for supporting both HIBP and myself, I’m off to have that board meeting 🏄‍♂️

Have I Been Pwned