Uber Data Hack

Following on from the controversy of Uber’s licence to operate in London being suspended due to a lack of corporate responsibility, news has broken today that Uber suffered a massive data breach in 2016. But worse than this is the subsequent cover-up perpetrated by Uber’s management coupled with the fact that they paid the hackers $100,000 to, “delete the data [and] keep quiet.”

Joe Sullivan, who was lured from Facebook in 2015 to be Uber’s security chief has been sacked as a result.

James Lyne, Sophos’ Cyber Security Advisor has said, “Uber isn’t the only and won’t be the last company to hide a data breach or cyber attack. Not notifying consumers put them at greater risk of being victimized by fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”

The attack, which happened in October 2016, included names, email addresses and phone numbers of 50 million Uber riders from all around the world. The personal information of approximately 7 million drivers was accessed as well, including around 600,000 US driver’s licence numbers.

One positive note is that no social security numbers, credit card details or trip location details were stolen.

Uber’s programmers uploaded security credentials to a GitHub repository

It has transpired that Uber’s programmers uploaded security credentials to a GitHub repository – from there it was elementary for the hackers to access Ubers servers hosted on Amazon.

Chester Wisniewski, Sophos’ Principal Research Scientist, has commented, “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually, organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts of the upcoming GDPR enforcement, this is just another development team with poor security practices that have shared credentials. Sadly, this is common more often than not in agile development environments.”

Rik Ferguson, Vice President Security Research at Trend Micro has said that it is, “heartening” to see that Uber’s new management team have come clean about the breach, but he, “remains concerned” at some of the wording in the blog of Mr Khosrowshahi which revealed the breach. Mr Ferguson continued, “[Mr. Khosrowshahi] appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such – You can’t outsource accountability.”

Mr Ferguson’s final comment is especially relevant following the news last week regarding Cash Converter’s own breach – again the blame for the breach was initially placed on a third party rather than responsibility for the failure being taken on board.

Further breaches are certainly bound to happen in future – industry analysts will surely be watching and listening for which companies are brave enough to accept accountability and which will continue to try and shift the blame. It is for the leaders of all kinds of businesses that look after personal data to take note of the recent headlines and start a culture shift acknowledging that responsibility cannot be passed on when failures like this occur.

 

+ posts

Meet Stella

Newsletter

Related articles

The Metaverse: Virtually a reality?

Metaverses have the potential to enable virtual worlds to expand beyond the gaming genre to encompass all manner of social and commercial activities.

Cybersecurity and Cloud: A Look Back at 2022 and What to Expect in 2023

Businesses are continuously reassessing their resources and options to fill their tech stack. In this competitive digital landscape, the innovative use of technology will be something that would generate a competitive advantage for organisations.

Shopping for Data: Ensuring a seamless user experience 

This combination can drive a business’s data culture and provide a structured approach for businesses to benefit from data intelligence across their operations, with only a few clicks.

Unveiling the Top 10 Cybersecurity Threats to Watch Out for in 2023

As technology advances, so do cybercriminals' methods to gain unauthorised access to sensitive information. With the increasing reliance on technology in both personal and professional settings, it is crucial to stay informed about the top cybersecurity threats to watch out for in 2023.

Is sustainability ‘enough’ from a Cloud perspective?

The idea of uprooting entire sustainability initiatives that took years to formulate and deploy is unsettling for businesses but, in truth, it doesn’t have to be so revolutionary.

Subscribe to our Newsletter