Attacks/Breaches

2/6/2018
07:23 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Uber's Response to 2016 Data Breach Was 'Legally Reprehensible,' Lawmaker Says

In Senate hearing, Uber CISO admits company messed up in not quickly disclosing breach that exposed data on 57 million people.

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science & Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."

Uber's payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. "Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice."

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver's license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

"I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier," Flynn said. There is no justification for Uber's breach notification failure, Flynn candidly admitted. "The real issue was we didn't have the right people in the room making the right decisions."

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon's AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber's decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber's bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

"The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data," Blumenthal noted. "Concealing, it in my view, is aiding and abetting the crime."

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. "So there was a criminal element trying to get into your data...and you are trying to put them on the right path?" she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. "We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today's hearing shines a spotlight on the ethics of Uber's response. "This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/8/2018 | 10:55:32 AM
The facts are enough
The actions and inactions of Uber speak for themselves.  Sadly, congressional hearings have become less about fact-finding, than serving as a stage for politicians to coddle or condemn witnesses, in order to impress their constituencies, or further a partisan agenda.  Authors would be wise to filter the facts from the commentary and posturing.    

"---  Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."  ---"

As sound as the accusations against Uber may be; find a better judge of what is "moral" than CT's senator; his moral compass infallibly points in the direction of the TV cameras, and spins away from ever pointing out his own failures of judgement, or those of his compatriots.  [lifelong CT resident - unaffiliated voter]
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.