Following on from the controversy of Uberโ€™s licence to operate in London being suspended due to a lack of corporate responsibility, news has broken today that Uber suffered a massive data breach in 2016. But worse than this is the subsequent cover-up perpetrated by Uberโ€™s management coupled with the fact that they paid the hackers $100,000 to, โ€œdelete the data [and] keep quiet.โ€

Joe Sullivan, who was lured from Facebook in 2015 to be Uberโ€™s security chief has been sacked as a result.

James Lyne, Sophosโ€™ Cyber Security Advisor has said, โ€œUber isn’t the only and won’t be the last company to hide a data breach or cyber attack. Not notifying consumers put them at greater risk of being victimized by fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.โ€

The attack, which happened in October 2016, included names, email addresses and phone numbers of 50 million Uber riders from all around the world. The personal information of approximately 7 million drivers was accessed as well, including around 600,000 US driverโ€™s licence numbers.

One positive note is that no social security numbers, credit card details or trip location details were stolen.

Uberโ€™s programmers uploaded security credentials to a GitHub repository

It has transpired that Uberโ€™s programmers uploaded security credentials to a GitHub repository โ€“ from there it was elementary for the hackers to access Ubers servers hosted on Amazon.

Chester Wisniewski, Sophosโ€™ Principal Research Scientist, has commented, โ€œUber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually, organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts of the upcoming GDPR enforcement, this is just another development team with poor security practices that have shared credentials. Sadly, this is common more often than not in agile development environments.โ€

Rik Ferguson, Vice President Security Research at Trend Micro has said that it is, โ€œhearteningโ€ to see that Uberโ€™s new management team have come clean about the breach, but he, โ€œremains concernedโ€ at some of the wording in the blog of Mr Khosrowshahi which revealed the breach. Mr Ferguson continued, โ€œ[Mr. Khosrowshahi] appears to distance Uberโ€™s โ€˜corporate systems and infrastructureโ€™ from the โ€˜third-party cloud-based serviceโ€™ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such – You canโ€™t outsource accountability.”

Mr Fergusonโ€™s final comment is especially relevant following the news last week regarding Cash Converterโ€™s own breach โ€“ again the blame for the breach was initially placed on a third party rather than responsibility for the failure being taken on board.

Further breaches are certainly bound to happen in future โ€“ industry analysts will surely be watching and listening for which companies are brave enough to accept accountability and which will continue to try and shift the blame. It is for the leaders of all kinds of businesses that look after personal data to take note of the recent headlines and start a culture shift acknowledging that responsibility cannot be passed on when failures like this occur.

 

+ posts

Head of #Digital #Innovation @CompareTheCloud - Every Day #Creating #SilverLinings.

AI Readiness - Harnessing the Power of Data and AI

Newsletter

Related articles

The hidden costs of technical debt inaction

With technology moving at a rapid pace, you would...

Ensuring AI Success in Telecommunications

Like many sectors, the telecommunications industry faces a tough...

The growing threat of ransomware in healthcare

In the dynamic landscape of healthcare and life sciences,...

Data Tips Protecting Your Organisation From Insider Theft

Data security is no longer a choice, it is...