$100,000 was the sum Uber was willing to pay to make its data breach problems go away.
We are all used to news of data breaches and the reputational apocalypse that follows, but this one stands out head and shoulders above the rest. Uber has been found trying to cover its tracks by paying hackers to delete 57 million sets of customer and driver data stolen in 2016.
Among the stolen data were email addresses, names and mobile phone numbers, while 600,000 sets of license details of Uber drivers were also in the mix.
Dara Khosrowshahi, CEO, Uber, said in a statement: “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
To obtain these assurances, executives paid hackers $100,000 to make the problem go away, ignoring the best practice of owning up about data breaches that impact customers and the business. The data breach occurred under the tenure of ex-CEO Travis Kalanick, adding to the lamentable repertoire of the company in the eyes of the public.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Khosrowshahi.
GDPR will spring to the minds of many, with the General Data Protection Regulation due to arrive at the beginning of 2018 promising to deliver potentially crippling fines to uncompliant businesses. In regard to the Uber data breach specifically, GDPR will enforce the swift public disclosure of such incidents, placing the company firmly in the firing line.
Raj Samani, Chief Scientist and Fellow at McAfee, said: “As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect. Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this… In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”
A mind-blowing cover-up
Dan Panesar, VP EMEA at Certes Networks, said: “Uber may be the latest in a long line of big names to hit the headlines in the wake of serious data breaches, however it is the handling of the attack that is the biggest cause for concern. The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.”
“Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage – a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hide the facts from them and points to the need for change in the industry.”
There is no sweeping this one under the carpet, Uber
David Kennerley, Director of Threat Research at Webroot, said: “The fact is there is absolutely no guarantee the hackers didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line. A security breach of this size will potentially damage any business’ reputation, but how a company behaves following a breach is vital. Potential victims deserve to be informed as soon as possible, so they can better protect themselves going forward – from changing passwords and being aware that they are now prime phishing targets. Being open and transparent and keeping customers informed is key, you can’t simply sweep these things under the carpet.”
Chester Wisniewski, Principal Research Scientist, Sophos, said: “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”
GDPR will change the game
Gary Cox, Technology Director for Western Europe at Infoblox, said: “With news that Uber concealed a breach dating from 2016, we can clearly see where GDPR will dramatically change the way that organisations disclose and manage data breaches with their customers. Uber has already been penalised for failing to disclose a breach in 2014, to the tune of $20,000 – but for organisations of this size, such a sum is merely a drop in the ocean. The more grievous fines under GDPR and obligations to immediately report breaches will ensure that, post-May 2018, organisations won’t have the liberty to take the call on whether a slap on the wrist at a later date is a better outcome than communicating the loss of personal data of their customers.”
Dr. Jamie Graves, CEO, ZoneFox, said: “The Uber hack is precisely why GDPR is coming into force. Time and time again we’ve seen significant data breaches, which will have serious implications for those whose data was involved, dismissed or covered up by major organisations. The incoming legislation that requires organisations to investigate and inform victims of a breach within 72 hours will at least give those affected a chance to get ahead of the criminal gangs that have their sensitive data.”
The right way to be ready for a breach
Jason Hart, CTO, Data Protection at Gemalto, said: “The goal should not be to hide these breaches or even prevent them—it should be to make them secure breaches by taking a more intelligent, data-centric approach to security. This means knowing exactly where your valuable data resides, who has access to it, how it is transferred, and when and where it is encrypted and decrypted. Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1 percent were encrypted. That’s all that had to be done here and it’s what other organizations need to do in the future to avoid this.”
Public Vs Private cloud
Chris Morales, head of security analytics at Vectra, said: “As more and more companies are putting mission-critical applications and data into the public cloud, such as the 57 million records exposed in Uber’s 2016 breach, it’s vital for organisations to understand the differences in private versus public clouds and the cybersecurity threats each face.”
“The only way to stop breaches from happening is for businesses to act as if their systems have already been compromised and focus on finding the attacker before the attacker finds critical data. The lesson here is don’t assume the same security tools used in a private cloud will protect you in the public cloud. To detect malicious behaviour in the public cloud, you have to know what can be attacked and understand how it would be done.”
You can’t outsource accountability
“It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s “corporate systems and infrastructure” from the “third-party cloud-based service” that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such… You can’t outsource accountability.”
A wake up call for CSOs
Sam Curry, Chief Security Officer, Cybereason, said: “Above all, this is a wake up call to the industry that CSO’s have a responsibility not just to the companies that they work for, but the people whose data is affected. In other words, Joe Sullivan and crew, should have acted in the interest of the public good and public safety and made these tough choices far, far sooner. It’s time not to let another Equifax, Deloitte, etc happen and to leave no grey area to security officers as to what the right thing to do is.”