The Uber breach, which I’m sure you’ve heard about by now, was made public about the time I shuttered my office for the Thanksgiving break. Initially, I thought it would be very old news when I returned to my office. After all, breaking news surrounding breaches has a limited shelf life before the next big event happened. However, the more I thought about it and the more I learned about it, I realized I had to write about it. So many of my posts encourage you to improve your education about cybersecurity. The Uber breach is certainly an educational opportunity in how not to behave when a breach occurs.
For an overview on what happened with this breach, eSecurity Planet reported:
In a statement, Uber CEO Dara Khosrowshahi said two hackers "inappropriately accessed user data stored on a third-party cloud-based service that we use."
Specifically, Bloomberg reports, the hackers accessed a private GitHub site used by Uber software engineers, then used passwords they found there to access an Amazon Web Services account belonging to the company, where they found the sensitive data.
That’s just the beginning. The hack was discovered more than a year ago, and it wasn’t revealed until Thanksgiving week. Were they trying to hide under cover of a busy holiday, when we’re distracted with other news? Or were they just too busy with all of the other problems Uber has experienced recently and a data breach was pushed aside as no big deal? Then we find out that Uber officials tried to cover the hack by paying a $100,000 ransom to the hackers, asking them to delete the stolen information so the breach wouldn’t have to be reported. Finally, there were the security missteps with AWS.
And this isn’t the first time Uber has been in trouble for failing to protect sensitive information. Chris Morales, head of security analytics at Vectra, told me in an email comment that Uber was already in hot water for a breach in 2014, a compromise of Uber’s database running on AWS. Uber agreed to 20 years of privacy audits, adding:
It misrepresented the extent of the breach and the extent of their security controls in place to protect information. This was clearly not the case as the systems compromised in 2016 are still in AWS hosting much of the same information, only on a much bigger scale. This breach happened at the same time Uber was already under investigation by U.S. regulators for the 2014 breach.
As Morales and others said to me via email, possibly worse than the breach was the cover up. California has breach notification laws, which clearly weren’t followed, and as was mentioned to me, had GDPR been in effect, Uber would have been facing serious financial loss for the breach and mishandling of it. Tom DeSot, EVP and CIO at Digital Defense, added in an email:
It is commonplace for companies to hold on the disclosure while a forensics firm determines the depth and breadth of the breach so that when the disclosure does take place, it gives consumers the facts about the situation and how they might want to respond (credit monitoring, etc.). That said, keeping the breach quiet for so long is not the best security practice.
There is so much else I could write about this particular breach. Such as following up on Asher de Metz, security consulting manager at Sungard Availability Services, commentary to me regarding the failing of security training – a topic that I may return to in a future blog post. We can provide all the training possible, but if your employees aren’t going to follow those best practices, what do you do?
All in all, I don’t think it is hyperbole to say that this was an all-round massive failure by Uber. Personally, I’ve long been hesitant to use Uber because I didn’t trust the company to handle my personal information, and am now glad I followed my instincts. The reputational hit the company will take could cause significant damage. My question to you is this: What are you doing to ensure that your company won’t be the next Uber?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba