Attacks/Breaches

11/22/2017
01:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Uber Paid Hackers $100K to Conceal 2016 Data Breach

The ride-sharing company has confirmed an October 2016 data breach that compromised 57 million accounts.

Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.

What's especially alarming about the data breach is not its size - previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger - but how Uber handled it.

"What makes this one stand out is absolutely the time duration," says McAfee Labs vice president Vincent Weafer. "It's almost a year ago that the actual event occurred; we're just finding out about it now."

Hackers were able to access and download names and driver's license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Uber's CEO Dara Khosrowshahi said in a blog post.

Uber's forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.

Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.

Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times reports. While Uber did launch a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. It's unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.

The company's chief security officer Joe Sullivan, who led the response to last year's attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg reports.

How it happened

Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.

"This appears to be a prime example of good intentions gone bad," says Imperva CTO Terry Ray. "Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon."

While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says it's likely attackers compromised one of the developers, who typically work in privileged environments. Developers "aren't necessarily the most secure individuals," he points out, and they're quick to be early adopters and try new tools.

The hackers' path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developer's machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.

The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.

"It's all too common that developers are allowed to copy live production data for use in development, testing, and QA," he says. "This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors."

These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. "It takes special effort to fine-tune which developers have access to which repositories," adds Podjarny.

One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, it's on companies to ensure employees use 2FA for critical applications and don't have access to sensitive data they don't need.

"You should never have the keys to the kingdom shared," says Podjarny of storing credentials in GitHub. "If they're compromised in one place, they're going to be exploited in another area."

Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which it's necessary. "Even if you pay money to hackers, you're relying on them being honest," says Weafer. "They could have copies or be selling it on the Dark Web."

Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario "garden variety extortion." While it was not best practice to pay in this scenario, there are circumstances in which it's economically rational and less risky. The big problem here is with responsible disclosure; organizations have a "clear responsibility" to disclose breaches and alert those affected.

"Paying off hackers without following disclosure laws is ill advised at best," Ellis says. "Extortion is not a dying practice - as long as there are economically incented adversaries and companies willing to pay we'll continue to see it."

What's Next

Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took "immediate steps" to secure the data and prevent further unauthorized access by attackers.

"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," he writes. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.

"None of this should have happened, and I will not make excuses for it," says Khosrowshahi in his post. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/27/2017 | 3:58:53 PM
GitHub + password reuse
Indeed, there have been numerous breaches in the news lately stemming from a GitHub hack. Password reuse is a common problem in these cases.
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.