Attacks/Breaches

2/6/2018
07:23 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Uber's Response to 2016 Data Breach Was 'Legally Reprehensible,' Lawmaker Says

In Senate hearing, Uber CISO admits company messed up in not quickly disclosing breach that exposed data on 57 million people.

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science & Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."

Uber's payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. "Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice."

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver's license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

"I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier," Flynn said. There is no justification for Uber's breach notification failure, Flynn candidly admitted. "The real issue was we didn't have the right people in the room making the right decisions."

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon's AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber's decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber's bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

"The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data," Blumenthal noted. "Concealing, it in my view, is aiding and abetting the crime."

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. "So there was a criminal element trying to get into your data...and you are trying to put them on the right path?" she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. "We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today's hearing shines a spotlight on the ethics of Uber's response. "This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/8/2018 | 10:55:32 AM
The facts are enough
The actions and inactions of Uber speak for themselves.  Sadly, congressional hearings have become less about fact-finding, than serving as a stage for politicians to coddle or condemn witnesses, in order to impress their constituencies, or further a partisan agenda.  Authors would be wise to filter the facts from the commentary and posturing.    

"---  Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."  ---"

As sound as the accusations against Uber may be; find a better judge of what is "moral" than CT's senator; his moral compass infallibly points in the direction of the TV cameras, and spins away from ever pointing out his own failures of judgement, or those of his compatriots.  [lifelong CT resident - unaffiliated voter]
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7097
PUBLISHED: 2018-08-14
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be exploited remotely to allow cross-site request forgery.
CVE-2018-7098
PUBLISHED: 2018-08-14
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be locally exploited to allow directory traversal.
CVE-2018-7099
PUBLISHED: 2018-08-14
A security vulnerability was identified in 3PAR Service Processor (SP) prior to SP-4.4.0.GA-110(MU7). The vulnerability may be locally exploited to allow disclosure of privileged information.
CVE-2018-7100
PUBLISHED: 2018-08-14
A potential security vulnerability has been identified in HPE OfficeConnect 1810 Switch Series (HP 1810-24G - P.2.22 and previous versions, HP 1810-48G PK.1.34 and previous versions, HP 1810-8 v2 P.2.22 and previous versions). The vulnerability could allow local disclosure of sensitive information.
CVE-2018-7077
PUBLISHED: 2018-08-14
A security vulnerability in HPE XP P9000 Command View Advanced Edition (CVAE) Device Manager (DevMgr 8.5.0-00 and prior to 8.6.0-00), Configuration Manager (CM 8.5.0-00 and prior to 8.6.0-00) could be exploited to allow local and remote unauthorized access to sensitive information.