New York Startup Competitions Breach Tax Information

3 years ago

Competition management tool, Skild (, is the latest in a long line of suppliers to breach their clients data.

Skild helps startup competitions/VC’s/Governments (and other types of competitions) run their contests providing them with expertise and a platform to facilitate judging, entries and more.

The breach appears to impact three startup competitions 76 West, Grow NY and 43 North.

76West is an unparalleled competition focused on growing entrepreneurs and attracting resources from the U.S. and around the world to build clean energy businesses and jobs in New York State’s Southern Tier region.

Grow-NY is a business competition focused on growing an enduring food and agriculture innovation cluster in the Grow-NY region. The competition attracts innovative, high-growth food and agriculture startups from across the globe and engages them in the region’s rapidly-growing startup ecosystem.

43North is an accelerator that hosts an annual startup competition, investing $5M per year to attract and retain high-growth companies in Buffalo, NY.

This breach is of particular interest due to the nature of the data breached.

According to TurgenSec’s responsible notice (found here), the data breached ranged from standard PII (name, email, phone) to the entries submitted to the startup competitions, judging criteria, results and even tax information of entrants.

Screenshot from TurgenSec responsible disclosure

According to TurgenSec’s responsible disclosure statement they could not get conformation that Skild has contacted those impacted and no public statement was found on the Skild website at the time of publication disputing this. 

TurgenSec issued the following request to Skild:

“We encourage Skild to submit the breached data to digital forensics specialists to ascertain the extent of this data breach.

We also encourage Skild to inform any relevant regulatory body, especially if there are UK or EU citizens data contained within the breach, as these should be reported to the local regulator (ICO in the UK). And to issue a public disclosure of this data breach explaining how this datastore breach occurred, including the full extent of what was breached so that the impacted companies, entrants, judges and host organisations can take the necessary steps to protect themselves.”

Leave a Reply

Your email address will not be published.