Uber late yesterday disclosed that hackers in October 2016 had gained access to data stored in a third-party cloud storage account resulting in a breach affecting 57 million people, including users and drivers. The ride-sharing service paid the attackers $100,000 to keep the attack quiet.
What's especially alarming about the data breach is not its size - previous attacks on Yahoo, Equifax, Anthem, and Target were comparatively larger - but how Uber handled it.
"What makes this one stand out is absolutely the time duration," says McAfee Labs vice president Vincent Weafer. "It's almost a year ago that the actual event occurred; we're just finding out about it now."
Hackers were able to access and download names and driver's license numbers of about 600,000 drivers in the US. Compromised rider data includes names, email addresses, and mobile phone numbers, Uber's CEO Dara Khosrowshahi said in a blog post.
Uber's forensics experts have not seen signs indicating attackers downloaded trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth.
Several federal and state laws require businesses to alert both customers and government agencies following data breaches. Not only did Uber fail to do this, but it also paid the attackers who stole the data then demanded $100,000 from the company to delete it.
Uber tracked down the hackers and pushed them to sign nondisclosure agreements,and disguised the payout as part of a bug bounty program, the New York Times reports. While Uber did launch a bug bounty program in 2016, rewards are capped at $10,000 for critical bugs. It's unclear whether the actors in this case were malicious, or gray-hat hackers who merely wanted to give Uber a vulnerability wake-up call.
The company's chief security officer Joe Sullivan, who led the response to last year's attack, has been terminated for concealing the breach, as well as his deputy. Former CEO and cofounder Travis Kalanick learned of the attack in November 2016 but has not yet commented, Bloomberg reports.
How it happened
Hackers reportedly gained access to a private GitHub coding site used among Uber software engineers. There, they found login credentials for an Amazon Web Services account where Uber handled computing tasks. The account contained an archive of customer and driver data.
"This appears to be a prime example of good intentions gone bad," says Imperva CTO Terry Ray. "Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon."
While technical details are still unclear, Snyk CEO and co-founder Guy Podjarny says it's likely attackers compromised one of the developers, who typically work in privileged environments. Developers "aren't necessarily the most secure individuals," he points out, and they're quick to be early adopters and try new tools.
The hackers' path could have been as simple as a phishing attack or unsecured WiFi network. Once an attacker had access to one developer's machine, they could have gained access to the rest of the network, the GitHub account, and the credentials they needed to log into AWS.
The problem starts with using live production data on an online platform where credentials were accessible on GitHub, Ray explains.
"It's all too common that developers are allowed to copy live production data for use in development, testing, and QA," he says. "This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors."
These repositories are usually private but unless someone takes time to fine-tune access, large portions of the development team can see them. "It takes special effort to fine-tune which developers have access to which repositories," adds Podjarny.
One mistake was checking a password into GitHub, which could have been surfaced during an internal pen test or security audit. Another was granting developers access to the repository with so much sensitive data. Given how many attacks start with compromised credentials, it's on companies to ensure employees use 2FA for critical applications and don't have access to sensitive data they don't need.
"You should never have the keys to the kingdom shared," says Podjarny of storing credentials in GitHub. "If they're compromised in one place, they're going to be exploited in another area."
Experts agree: paying hackers is a risky move and should be avoided, but there are circumstances in which it's necessary. "Even if you pay money to hackers, you're relying on them being honest," says Weafer. "They could have copies or be selling it on the Dark Web."
Casey Ellis, founder and CTO at Bugcrowd, calls the Uber scenario "garden variety extortion." While it was not best practice to pay in this scenario, there are circumstances in which it's economically rational and less risky. The big problem here is with responsible disclosure; organizations have a "clear responsibility" to disclose breaches and alert those affected.
"Paying off hackers without following disclosure laws is ill advised at best," Ellis says. "Extortion is not a dying practice - as long as there are economically incented adversaries and companies willing to pay we'll continue to see it."
Khosrowshahi, who took the wheel at Uber in September 2017 and says he recently learned about the hack, reports the company took "immediate steps" to secure the data and prevent further unauthorized access by attackers.
"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed," he writes. "We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Khosrowshahi has hired Matt Olsen, former general counsel of the National Security Agency, to help guide response efforts. Drivers whose license numbers were downloaded will be individually notified and receive free credit monitoring and identity theft protection. Uber is also notifying regulatory authorities and flagging affected accounts for fraud protection.
"None of this should have happened, and I will not make excuses for it," says Khosrowshahi in his post. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.