Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/4/2018
02:00 PM
Kirsten Bay
Kirsten Bay
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Uber's Biggest Mistake: It Wasn't Paying Ransom

Rather than scrambling to deal with attacks after the fact, companies need to focus on improving detection capabilities with tools that help them work within data laws, not outside of them.

Uber has discovered that when it rains, it really pours. Since Bloomberg broke the news that the ride-hailing giant had suffered a massive breach of more than 57 million customer and driver records, it has been hit with three lawsuits and five independent investigations from the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois. And that's not to mention increased scrutiny of its practices by the Federal Trade Commission (FTC).

So far, media coverage has focused on Uber's decision to pay the attackers $100,000 in return for restoring the deleted the data and the company's yearlong concealment of the incident. Some industry pundits have suggested this type of response to attacks is helping fuel cybercrime. But focusing on the sensational aspects of the story alone obscures a much bigger, industry-wide mistake: the failure of companies to accept responsibility for keeping data safe because of a management perception that cyberattacks "happen to someone else."

Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it is not dissimilar to what many firms do to outsmart criminals; they purchase the latest malware in order to identify its exploits and defend against them. Incurring a cost to secure the data was a vital part of Uber's damage control strategy.

That said, allowing the damage to occur at all was where the company went wrong. Because data flow was not accurately monitored, attackers were able to go unnoticed while they stole millions of customer names, email addresses, and phone numbers, as well as the details for half a million US drivers, without being caught.

The theft highlights the importance of robust and fast detection in limiting the damage caused by attackers. Research that Cyber adAPT commissioned with Aberdeen Group shows that rapid attack detection can limit the business impact of breaches by 70% on average. With better detection procedures, Uber could have limited the flow of data to attackers, notified regulators faster, and avoided a substantial media storm.

Ignoring Data Responsibility
The harm done to Uber's reputation by this breach is significant, but it is a particularly bitter pill for the company to swallow, considering its existing data security record.

In 2014, the company faced two data disasters. First, cybercriminals exposed the names and licenses of 100,000 drivers. Then the company acknowledged the existence of a software tool called "God View," which enabled employees to track customer locations in real time. Following these incidents three years ago, Uber entered discussions with the FTC and only reached an agreement in August 2017, stating that the company must submit to third-party audits every 24 months for the next two decades.

Even though Uber had already been censured about poor data management, it did not learn from its mistakes. Instead, it has taken the same route as many companies: assuming data breaches are something that happen to other businesses and that there is no immediate need to strengthen data protection measures.

In reality, online attacks are not isolated events, and attackers can target anyone, sometimes more than once. As digital transformation makes data essential to business and leisure, everyone — from the man on the street, to global businesses — is becoming a cybercrime target. For those who hold valuable insight, there is therefore an unavoidable responsibility to keep it secure.

This brings us to a key question: What can Uber and other companies do to own their responsibility while standing up against cybercrime? The answer involves adopting a detection and prevention-focused approach to security — one that takes the complicated nature of modern connectivity into account.

Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the office, employees can access company systems from anywhere using a variety of technologies from laptops and mobile to Internet of Things (IoT) devices. Consequently, networks are more flexible, but also more fragmented. This means that there is greater potential for attackers to find loopholes. To defend data, businesses must mitigate threats by constantly assessing every device on their network and deploying tools that can pinpoint and remove any suspicious activity.

Of course, establishing total control of systems is not a simple task — especially for large corporations with 40 million monthly customers such as Uber. But by deploying a continually risk-aware methodology, companies can ensure they are prepared for inevitable cyber challenges and demonstrate to their customers that they can be trusted with sensitive data. Indeed, if the statement issued by Uber spokeswoman Molly Spaeth is anything to go by, this is exactly the direction the company plans to move in: "We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers," she said in a statement.

Whether it is too late for Uber to save its reputation remains to be seen. The company has made definitive changes, such as firing chief security officer Joe Sullivan and hiring Matt Olsen, former general counsel at the National Security Agency. However, more than fresh leadership is required to restore its data credentials. As the myriad of legal suits leveled at Uber indicate, failing to take responsibility for data security has its consequences. Rather than scrambling to deal with attacks after the fact, Uber needs to focus on improving their detection and neutralization abilities — adopting tools that will help them work within data laws, not outside of them. 

Related Content:

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.