Risk

11/22/2017
03:00 PM
Joseph Carson
Joseph Carson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time to Pull an Uber and Disclose Your Data Breach Now

There is never a good time to reveal a cyberattack. But with EU's GDPR looming, the fallout is only going to get harder and more expensive if you wait.

Uber has finally disclosed that the company experienced a cybersecurity breach in 2016, when the personal details of both drivers and customers were hacked by cybercriminals. Apparently, the company also paid a small ransom to have the data destroyed.

Here we go again. Another data breach … another CSO gets the ax and departs for mishandling a major incident. Sadly, this is becoming a common trend. 

The big news here is that Uber concealed the data breach, which increased the cyber-risk of both drivers and customers, as well as a loss of trust from investors and governments. The mishandling of credentials for an Amazon Web Services (AWS) account was reportedly behind the data breach, a deficiency that demonstrates that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials. Not protecting these credentials can lead to major cyber incidents, making the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management (PAM) has long been a major problem, and this incident is just another example of a company not managing access and securing the keys to the kingdom. 

According to Forrester Research, approximately 80% of data breaches (registration required) are a result of stolen or compromised privileged credentials, making privileged credentials security a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like we have now seen with Uber. This data breach also demonstrates the importance of incident handling as a major part of an organization's cybersecurity policy — and doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.    

In the time since this data breach occurred, Uber has experienced a change in CEOs, and disclosure of this breach gives Uber CEO Dara Khosrowshahi an opportunity to set things straight and change a perception that has dogged Uber for the past few years surrounding many scandals.

Why now? Why should organizations follow Uber's poor example of disclosure as soon as they can?

With the upcoming EU General Data Protection Regulation (GDPR), which goes into enforcement in May 2018, businesses of all sizes, around the world, will face huge financial penalties for failure to disclose data breaches and be required to follow a strict 72-hour breach notification to authorities in the countries affected. The GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for companies taking responsibility for protecting European citizens' private data. 

This means organizations are accountable and responsible for all the information they collect. The more information they gather, the more data they must account for, and therefore the more data they are responsible for. If a data breach occurs, and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros or 4% of annual turnover.  In my rough calculation, if we use Uber's gross bookings from 2016 of $20 billion (USD), then Uber, in a post-May 2018 GDPR world, could face possible financial penalties of $800 million, which of course would be much higher than it would be facing by disclosing the data breach today. 

Bottom line: If you are you hiding a major data breach like Uber, you might want to follow Uber's example and disclose it ASAP.

Or maybe you have not found the data breach yet. Then you had better get looking immediately before it is too late and you put your entire business (and with it, your reputation) at risk. I suspect many companies that provide services to EU citizens will need to think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to put out their dirty laundry and survive the tougher cyber regulations looming on the horizon.

Cybersecurity should never be an afterthought. Protecting privileged accounts, especially those that provide access to customer and employee personal data, should be a major priority along with a solid incident response plan and training on how to respond effectively and according to regulations and compliance requirements. Lastly, in today's threat environment, cybersecurity has to become everyone's responsibility. We need to empower our employees to be the strongest link because we are all on the front line and we need to ensure that everyone on the front line is educated and protected.   

Related Content:

 

Joseph Carson has more than 25 years' experience in enterprise security, is the author of Privileged Account Management for Dummies and Cybersecurity for Dummies, and is a cybersecurity professional and ethical hacker. Joseph is a cybersecurity adviser to several governments, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jdub161
50%
50%
jdub161,
User Rank: Apprentice
11/30/2017 | 10:58:53 PM
Cumulative CSO sackings
Great article Joseph, got me thinking about the cumulative effect of sacking CSO's.  Now some CSO's I know are nothing more than a glorified IT Security Manager and by not keeing Cyber on the strategic agenda have probably created their own demise.

However, if the 'standard' response to a major data breach is to sack the CSO to appease the markets & media after a time will we not get to a point where effective CSO's are also being chopped and not re-hired?  Does this lead us to a place where we are culling the very people from an industry that is already short-staffed?

 

Jason
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.