Risk

11/22/2017
03:00 PM
Joseph Carson
Joseph Carson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time to Pull an Uber and Disclose Your Data Breach Now

There is never a good time to reveal a cyberattack. But with EU's GDPR looming, the fallout is only going to get harder and more expensive if you wait.

Uber has finally disclosed that the company experienced a cybersecurity breach in 2016, when the personal details of both drivers and customers were hacked by cybercriminals. Apparently, the company also paid a small ransom to have the data destroyed.

Here we go again. Another data breach … another CSO gets the ax and departs for mishandling a major incident. Sadly, this is becoming a common trend. 

The big news here is that Uber concealed the data breach, which increased the cyber-risk of both drivers and customers, as well as a loss of trust from investors and governments. The mishandling of credentials for an Amazon Web Services (AWS) account was reportedly behind the data breach, a deficiency that demonstrates that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials. Not protecting these credentials can lead to major cyber incidents, making the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management (PAM) has long been a major problem, and this incident is just another example of a company not managing access and securing the keys to the kingdom. 

According to Forrester Research, approximately 80% of data breaches (registration required) are a result of stolen or compromised privileged credentials, making privileged credentials security a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like we have now seen with Uber. This data breach also demonstrates the importance of incident handling as a major part of an organization's cybersecurity policy — and doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.    

In the time since this data breach occurred, Uber has experienced a change in CEOs, and disclosure of this breach gives Uber CEO Dara Khosrowshahi an opportunity to set things straight and change a perception that has dogged Uber for the past few years surrounding many scandals.

Why now? Why should organizations follow Uber's poor example of disclosure as soon as they can?

With the upcoming EU General Data Protection Regulation (GDPR), which goes into enforcement in May 2018, businesses of all sizes, around the world, will face huge financial penalties for failure to disclose data breaches and be required to follow a strict 72-hour breach notification to authorities in the countries affected. The GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for companies taking responsibility for protecting European citizens' private data. 

This means organizations are accountable and responsible for all the information they collect. The more information they gather, the more data they must account for, and therefore the more data they are responsible for. If a data breach occurs, and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros or 4% of annual turnover.  In my rough calculation, if we use Uber's gross bookings from 2016 of $20 billion (USD), then Uber, in a post-May 2018 GDPR world, could face possible financial penalties of $800 million, which of course would be much higher than it would be facing by disclosing the data breach today. 

Bottom line: If you are you hiding a major data breach like Uber, you might want to follow Uber's example and disclose it ASAP.

Or maybe you have not found the data breach yet. Then you had better get looking immediately before it is too late and you put your entire business (and with it, your reputation) at risk. I suspect many companies that provide services to EU citizens will need to think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to put out their dirty laundry and survive the tougher cyber regulations looming on the horizon.

Cybersecurity should never be an afterthought. Protecting privileged accounts, especially those that provide access to customer and employee personal data, should be a major priority along with a solid incident response plan and training on how to respond effectively and according to regulations and compliance requirements. Lastly, in today's threat environment, cybersecurity has to become everyone's responsibility. We need to empower our employees to be the strongest link because we are all on the front line and we need to ensure that everyone on the front line is educated and protected.   

Related Content:

 

Joseph Carson has more than 25 years' experience in enterprise security, is the author of Privileged Account Management for Dummies and Cybersecurity for Dummies, and is a cybersecurity professional and ethical hacker. Joseph is a cybersecurity adviser to several governments, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jdub161
50%
50%
jdub161,
User Rank: Apprentice
11/30/2017 | 10:58:53 PM
Cumulative CSO sackings
Great article Joseph, got me thinking about the cumulative effect of sacking CSO's.  Now some CSO's I know are nothing more than a glorified IT Security Manager and by not keeing Cyber on the strategic agenda have probably created their own demise.

However, if the 'standard' response to a major data breach is to sack the CSO to appease the markets & media after a time will we not get to a point where effective CSO's are also being chopped and not re-hired?  Does this lead us to a place where we are culling the very people from an industry that is already short-staffed?

 

Jason
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.