Following on from the controversy of Uber’s licence to operate in London being suspended due to a lack of corporate responsibility, news has broken today that Uber suffered a massive data breach in 2016. But worse than this is the subsequent cover-up perpetrated by Uber’s management coupled with the fact that they paid the hackers $100,000 to, “delete the data [and] keep quiet.”
Joe Sullivan, who was lured from Facebook in 2015 to be Uber’s security chief has been sacked as a result.
James Lyne, Sophos’ Cyber Security Advisor has said, “Uber isn’t the only and won’t be the last company to hide a data breach or cyber attack. Not notifying consumers put them at greater risk of being victimized by fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
The attack, which happened in October 2016, included names, email addresses and phone numbers of 50 million Uber riders from all around the world. The personal information of approximately 7 million drivers was accessed as well, including around 600,000 US driver’s licence numbers.
One positive note is that no social security numbers, credit card details or trip location details were stolen.
Uber’s programmers uploaded security credentials to a GitHub repository
It has transpired that Uber’s programmers uploaded security credentials to a GitHub repository – from there it was elementary for the hackers to access Ubers servers hosted on Amazon.
Chester Wisniewski, Sophos’ Principal Research Scientist, has commented, “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually, organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts of the upcoming GDPR enforcement, this is just another development team with poor security practices that have shared credentials. Sadly, this is common more often than not in agile development environments.”
Rik Ferguson, Vice President Security Research at Trend Micro has said that it is, “heartening” to see that Uber’s new management team have come clean about the breach, but he, “remains concerned” at some of the wording in the blog of Mr Khosrowshahi which revealed the breach. Mr Ferguson continued, “[Mr. Khosrowshahi] appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such – You can’t outsource accountability.”
Mr Ferguson’s final comment is especially relevant following the news last week regarding Cash Converter’s own breach – again the blame for the breach was initially placed on a third party rather than responsibility for the failure being taken on board.
Further breaches are certainly bound to happen in future – industry analysts will surely be watching and listening for which companies are brave enough to accept accountability and which will continue to try and shift the blame. It is for the leaders of all kinds of businesses that look after personal data to take note of the recent headlines and start a culture shift acknowledging that responsibility cannot be passed on when failures like this occur.