Uber data breach cover-up: Security experts aghast at negligence

Another week, another data breach at one of the world’s biggest or most famous companies.

So far, so unsurprising (how did we get used to the regular loss of millions of people’s data in one fell swoop?).

Except the Uber breach, which involved the theft of 57 million people’s personal information – customers and drivers – has a novel twist.

Plenty of times companies are slow at revealing that they’ve been breached (and this alone will result in eye-watering fines under the forthcoming GDPR). This time, however, Uber also admitted that it paid the hackers responsible $100,000 on the condition that they deleted the data – including names, email addresses, phone numbers and driving licence numbers – and kept quiet about the breach.

Trusting criminals to keep their end of the bargain has proven to be naïve, however.

“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Two employees involved in this initial response to the breach have left the company, the statement revealed.

Scrambling to handle the fallout, Uber has offered its drivers free credit monitoring and identity theft protection.

It has come to light that data was stored unencrypted on Uber’s Amazon Web Services account, for which two hackers obtained login credentials, according to Bloomberg.

It’s the latest in a series of scandals to hit the company.

It emerged last year that the Metropolitan Police investigated 32 drivers for alleged rape or sexual assault of passengers between May 2015 and May 2016, courtesy of Freedom of Information data obtained by The Sun. Writing to TfL in August, Metropolitan Police Inspector Neil Billany revealed that the company had continued to employ a driver accused of sexual assault who then went on to assault another female passenger before he was finally sacked.

A number of cybersecurity experts have offered their thoughts on the implications of the hack below.

“It’s fascinating that even in light of the mega breaches of 2016 and 2017, companies consider non or delayed breach disclosure as an option”

Mark Sangster, VP, eSentire

“It’s fascinating that even in light of the mega breaches of 2016 and 2017, companies consider non or delayed breach disclosure as an option. The number of records compromised in the Uber hack far exceeds the entire population of Canada.

“We’re not talking small beans, here. Unfortunately for Uber, I expect that its breach will set new precedence when it comes to regulatory compliance and disclosure mandates. Companies today have no excuse when it comes to cybersecurity controls.

“Tools and guidelines exist to help organisations and firms prepare and navigate breach remediation and disclosure. In Uber’s case, you have a company already enduring a PR firestorm. Mix in a significant one-year old, non-disclosed breach and that storm suddenly becomes a hurricane.

“Now it will be Uber’s turn to navigate a labyrinth of financial and state breach notification laws given a user base spanning the globe, particularly as the EU is set to usher in the General Data Protection Regulators (GDPR) regulations to prevent this sort of delay in breach notification.”

“How do we know all of the data has been deleted? And how do we know that some accounts weren’t ‘cherry-picked’ for belonging to high-net users and then sold to the highest bidder?”

Dr Jamie Graves, CEO, ZoneFox

“The Uber hack is precisely why GDPR is coming into force. Time and time again we’ve seen significant data breaches, which will have serious implications for those whose data was involved, dismissed or covered up by major organisations.

“The incoming legislation that requires organisations to investigate and inform victims of a breach within 72 hours will at least give those affected a chance to get ahead of the criminal gangs that have their sensitive data.

“However, the most disturbing aspect of the Uber case is that they paid money to those responsible to destroy the data. As we have seen in numerous other cases, these gangs are the last group of people to be trusted. For example, ransomware distribution groups often will not decrypt the data they have locked away after receiving payment.

“So how do we know all of the data has been deleted? And how do we know that some accounts weren’t ‘cherry-picked’ for belonging to high-net users and then sold to the highest bidder?

“Uber CEO Dara Khosrowshahi wants to ‘change the way they do business’ – a thorough and immediate independent investigation into this attack would be a good place to start.”

“Companies have made large strides in making bounty reporting less like the ‘Wild West’ – the Uber breach undermines those efforts”

Chris Boyd, Lead Malware Intelligence Analyst, Malwarebytes

“This breach is not only hugely aggravating for those affected, but also raises questions about the value of bug bounty programs. Companies have made large strides in trying to make bounty reporting, in general, a lot less like the ‘Wild West’, and something like this undermines those efforts.

“Especially when you consider many bounties pay out a lot less than the £75,000 Uber offered to hackers, plus including the chunk of taxes coming out of the bounty.

“Whilst not communicating a breach cannot be condoned, the upcoming GDPR will hopefully not only lead to better governance and protections, but also serve to reduce the stigma around hacks. So rather than just seeing headline-grabbing fines on a practical level, we will also see big lessons learned by organisations.

“Ultimately, if businesses are afraid to come forward and admit a breach, how will we – as a society – ever learn from and beat the cyber miscreants?”

“Uber is a very attractive target for professional hackers – this may be just a tip of the iceberg.”

Ilia Kolochenko, CEO, High-Tech Bridge

“I think the most important thing now is to ascertain that the alleged scope of the breach is not mistakenly underestimated or deliberately concealed. Uber is a very attractive target for professional hackers, from Black Hat mercenaries to nation-state groups. The uncovered incident may be just a tip of the iceberg.

“Taking into consideration currently available but not yet confirmed facts, the root cause of the incident is Uber’s banal negligence.

“Nonetheless, it’s too early to blame anyone or to make any ultimate conclusions unless remaining technical details will be properly investigated and publicly disclosed.

“Speaking about the legal side of the breach, it will likely bestow on Uber a wide spectrum of lawsuits in different jurisdictions and quite painful sanctions.”

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today