Uber Breach of 57M Records Undisclosed For More Than One Year

on November 22, 2017 |

Uber is silent for more than a year on a breach of data that has exposed 57 million records, and pays in secret a ransom. What’s worse than a data breach for a large company’s customers? Simple, an undisclosed data breach.

The case of Uber’s database breach is monopolizing the media at this time and it must lead us to a serious reflection on the management of computer accidents, even in view of the forthcoming adoption of European regulations.

Uber has deliberately concealed the violation of data that has exposed 57 million records in 2016, an unheard of conduct if we add that the security managers of the same company did everything to hide what was happening.

The incident was revealed by Dara Khosrowshahi’s private-transport multinational CEO, Theft, reports Bloomberg agency, has been done to clients worldwide in October 2016. Hackers had access to personal data of 57 million users and the license numbers of 600,000 US car drivers were also stolen. Again, according to a Bloomberg report, hackers obtained credentials from a GitHub repository used by Uber’s development team, then attempted to blackmail the company by asking $100,000 to avoid publishing stolen data.

“It is arguably morally incorrect and unacceptable in today’s world for an organization, particularly one as widely used as Uber, to not only delay reporting a data breach, but to actually attempt to cover it up! Come May 25th next year, the General Data Protection Regulation (GDPR) will mean that all organizations that deal with EU citizens’ data will need to report a breach within 72 hours or risk being fined up to 4% of their annual turnover. Considering that Uber’s revenue last year came to $6.5 billion, they’d be at risk of being fined $260 million.

Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place because hackers were able to access Uber’s log-in credentials to Amazon Web Services which were, for some reason, available on a private area of Github. It doesn’t seem right that Uber, a company commonly regarded as THE digital transformation company, seemingly forgot the basics of traditional IT and failed to provide proper governance over an area of their business like the R&D department who were using cloud tools. Ultimately, when it comes to security and IT, it’s vital to get the basics right first – otherwise your technological innovations will be built on incredibly weak foundations.However, the real issue here is that Uber showed a blatant disregard for their employees’ and customers’ data by trying to cover up the breach, and that the breach has only been reported to the public a year after it occurred.

EU GDPR is trying to help organizations realize the importance of data protection come May 2018. “Doing an Uber” will be unacceptable so organizations need to be working overtime now to get their technology, people and processes ready for compliance,” said Simon Townsend the Chief Technologist EMEA for Ivanti and an expert in GDPR best practices and endpoint security.

The most turbulent aspect of history begins right here, Uber rather than notifying the violation of data to customers and law enforcement as required by California law on data security breaches, has sought to overwhelm the story. Uber’s Chief Information Security Officer Joe Sullivan ordered to pay ransom and cover the story by destroying any evidence. To justify paying the number to the attackers, the company staged a premium payment within its bounty bug program. You understand, the company then identified the hack makers, and instead of denouncing them, they thought they would put their names in the list of virtuous ethical hackers who reported to the colossus pertinent information in their systems, rewarding their efforts with $100,000.

In a statement issued last Tuesday, Khosrowshahi said the intruders had access to archives containing the data hosted in the cloud:

“I recently learned that at the end of 2016, we realized that two people outside the company had mistakenly accessed user data stored on a third-party cloud service we use. The incident did not violate our systems or business infrastructures.
At the time of the incident, we took immediate action to protect the data and prevent further unauthorized access by individuals. Subsequently we identified people and got assurances that the downloaded data was destroyed. We also implemented security measures to restrict access and strengthen controls on our cloud-based storage accounts.” It reads in a statement from the CEO, “Maybe you’re wondering why we’re talking about this now, a year later. I ask the same question, so I immediately asked for a thorough investigation of what happened and how we managed the situation.”

“Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cyber-security community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines.

From what we know, attackers accessed GitHub, a code repository hosting service used by Uber developers. They obtained login credentials and hacked into a server storing data about Uber riders and drivers. This is a fairly ‘vanilla’ attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). Essentially, SDP isolates the user from accessing resources they aren’t entitled to see by leveraging multiple factors. It takes into consideration what the user is trying to do at the time they’re trying to do it. For example in this case, the system could have required the hackers to present a one-time password before granting access to the server.” –Chris Day, Chief Cybersecurity Officer, Cyxtera

As a result of the new internal commission inquiry commissioned by the CEO, Sullivan and one of his men were extradited.

The CEO has explained that this kind of thing will not happen again in the future because Uber bases his mission on protecting his clients’ security and privacy.

“Although I can not erase the past, I can engage in every Uber employee that we will learn from our mistakes. We are changing our way of doing business, putting integrity at the heart of every decision we take and working hard to earn the trust our customers. ” Added Khosrowshahi.

The CEO added that forensic experts did not find evidence that data was downloaded, however, the company is monitoring the affected accounts to prevent them from being fraudulent.

Uber denounced the incident to the authorities and reported what happened to each driver whose data was involved in the violation. The company is offering them free of charge a credit monitoring service and protection against identity theft.

New York Attorney General Eric Schneiderman also launched an investigation into Uber’s data breach.

This is not the first time the company suffered security breaches, Uber suffered the first violation of data in May 2014, but the event was only discovered in February 2015.

In the attack, the names and driving licenses of more than 50,000 company drivers were compromised.

In June 2016, Integrity’s security experts found more than a dozen flaws on the Uber website that could expose drivers and passengers data to malicious people.

“There’s already a lot to learn about this breach and how it was handled, but as with every breach, we’re likely to learn more as the incident receives more scrutiny. Some of that scrutiny is now coming from the New York Attorney General. Sometimes the wheels of the law move slowly, but they tend to have more stamina than the headlines. We’ve seen an growing pattern with executive impact from cybersecurity breaches, and while it may seem more than warranted in this case, the pattern is continuing with Uber and its Chief Security Officer. A cover-up like this can’t help but drive the question of what other breaches are known, but kept quiet. It can’t help but damage consumer confidence, not just in Uber, but in any company collecting personal data. Consumers now have to worry about undisclosed breaches in addition to undiscovered breaches,” said Tim Erlin, VP of product management and strategy at Tripwire.

With the holidays upon us, breaches should become more prevalent and those companies who provide us services, whether online for ecommerce or for transportation like Uber must take these risks more seriously and if they are breached, do the right thing and let us know immediately.

by Pierluigi Paganini and Gary Miliefsky

Show Buttons
Hide Buttons