Uber has discovered that when it rains, it really pours. Since Bloomberg broke the news that the ride-hailing giant had suffered a massive breach of more than 57 million customer and driver records, it has been hit with three lawsuits and five independent investigations from the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois. And that's not to mention increased scrutiny of its practices by the Federal Trade Commission (FTC).
So far, media coverage has focused on Uber's decision to pay the attackers $100,000 in return for restoring the deleted the data and the company's yearlong concealment of the incident. Some industry pundits have suggested this type of response to attacks is helping fuel cybercrime. But focusing on the sensational aspects of the story alone obscures a much bigger, industry-wide mistake: the failure of companies to accept responsibility for keeping data safe because of a management perception that cyberattacks "happen to someone else."
Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it is not dissimilar to what many firms do to outsmart criminals; they purchase the latest malware in order to identify its exploits and defend against them. Incurring a cost to secure the data was a vital part of Uber's damage control strategy.
That said, allowing the damage to occur at all was where the company went wrong. Because data flow was not accurately monitored, attackers were able to go unnoticed while they stole millions of customer names, email addresses, and phone numbers, as well as the details for half a million US drivers, without being caught.
The theft highlights the importance of robust and fast detection in limiting the damage caused by attackers. Research that Cyber adAPT commissioned with Aberdeen Group shows that rapid attack detection can limit the business impact of breaches by 70% on average. With better detection procedures, Uber could have limited the flow of data to attackers, notified regulators faster, and avoided a substantial media storm.
Ignoring Data Responsibility
The harm done to Uber's reputation by this breach is significant, but it is a particularly bitter pill for the company to swallow, considering its existing data security record.
In 2014, the company faced two data disasters. First, cybercriminals exposed the names and licenses of 100,000 drivers. Then the company acknowledged the existence of a software tool called "God View," which enabled employees to track customer locations in real time. Following these incidents three years ago, Uber entered discussions with the FTC and only reached an agreement in August 2017, stating that the company must submit to third-party audits every 24 months for the next two decades.
Even though Uber had already been censured about poor data management, it did not learn from its mistakes. Instead, it has taken the same route as many companies: assuming data breaches are something that happen to other businesses and that there is no immediate need to strengthen data protection measures.
In reality, online attacks are not isolated events, and attackers can target anyone, sometimes more than once. As digital transformation makes data essential to business and leisure, everyone — from the man on the street, to global businesses — is becoming a cybercrime target. For those who hold valuable insight, there is therefore an unavoidable responsibility to keep it secure.
This brings us to a key question: What can Uber and other companies do to own their responsibility while standing up against cybercrime? The answer involves adopting a detection and prevention-focused approach to security — one that takes the complicated nature of modern connectivity into account.
Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the office, employees can access company systems from anywhere using a variety of technologies from laptops and mobile to Internet of Things (IoT) devices. Consequently, networks are more flexible, but also more fragmented. This means that there is greater potential for attackers to find loopholes. To defend data, businesses must mitigate threats by constantly assessing every device on their network and deploying tools that can pinpoint and remove any suspicious activity.
Of course, establishing total control of systems is not a simple task — especially for large corporations with 40 million monthly customers such as Uber. But by deploying a continually risk-aware methodology, companies can ensure they are prepared for inevitable cyber challenges and demonstrate to their customers that they can be trusted with sensitive data. Indeed, if the statement issued by Uber spokeswoman Molly Spaeth is anything to go by, this is exactly the direction the company plans to move in: "We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers," she said in a statement.
Whether it is too late for Uber to save its reputation remains to be seen. The company has made definitive changes, such as firing chief security officer Joe Sullivan and hiring Matt Olsen, former general counsel at the National Security Agency. However, more than fresh leadership is required to restore its data credentials. As the myriad of legal suits leveled at Uber indicate, failing to take responsibility for data security has its consequences. Rather than scrambling to deal with attacks after the fact, Uber needs to focus on improving their detection and neutralization abilities — adopting tools that will help them work within data laws, not outside of them.