Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/22/2017
03:00 PM
Joseph Carson
Joseph Carson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Time to Pull an Uber and Disclose Your Data Breach Now

There is never a good time to reveal a cyberattack. But with EU's GDPR looming, the fallout is only going to get harder and more expensive if you wait.

Uber has finally disclosed that the company experienced a cybersecurity breach in 2016, when the personal details of both drivers and customers were hacked by cybercriminals. Apparently, the company also paid a small ransom to have the data destroyed.

Here we go again. Another data breach … another CSO gets the ax and departs for mishandling a major incident. Sadly, this is becoming a common trend. 

The big news here is that Uber concealed the data breach, which increased the cyber-risk of both drivers and customers, as well as a loss of trust from investors and governments. The mishandling of credentials for an Amazon Web Services (AWS) account was reportedly behind the data breach, a deficiency that demonstrates that companies really need to adhere to the industry recommendations on securing and protecting privileged credentials. Not protecting these credentials can lead to major cyber incidents, making the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management (PAM) has long been a major problem, and this incident is just another example of a company not managing access and securing the keys to the kingdom. 

According to Forrester Research, approximately 80% of data breaches (registration required) are a result of stolen or compromised privileged credentials, making privileged credentials security a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like we have now seen with Uber. This data breach also demonstrates the importance of incident handling as a major part of an organization's cybersecurity policy — and doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.    

In the time since this data breach occurred, Uber has experienced a change in CEOs, and disclosure of this breach gives Uber CEO Dara Khosrowshahi an opportunity to set things straight and change a perception that has dogged Uber for the past few years surrounding many scandals.

Why now? Why should organizations follow Uber's poor example of disclosure as soon as they can?

With the upcoming EU General Data Protection Regulation (GDPR), which goes into enforcement in May 2018, businesses of all sizes, around the world, will face huge financial penalties for failure to disclose data breaches and be required to follow a strict 72-hour breach notification to authorities in the countries affected. The GDPR replaces the European General Data Protection Directive from 1995 and provides the foundation for companies taking responsibility for protecting European citizens' private data. 

This means organizations are accountable and responsible for all the information they collect. The more information they gather, the more data they must account for, and therefore the more data they are responsible for. If a data breach occurs, and it is found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros or 4% of annual turnover.  In my rough calculation, if we use Uber's gross bookings from 2016 of $20 billion (USD), then Uber, in a post-May 2018 GDPR world, could face possible financial penalties of $800 million, which of course would be much higher than it would be facing by disclosing the data breach today. 

Bottom line: If you are you hiding a major data breach like Uber, you might want to follow Uber's example and disclose it ASAP.

Or maybe you have not found the data breach yet. Then you had better get looking immediately before it is too late and you put your entire business (and with it, your reputation) at risk. I suspect many companies that provide services to EU citizens will need to think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to put out their dirty laundry and survive the tougher cyber regulations looming on the horizon.

Cybersecurity should never be an afterthought. Protecting privileged accounts, especially those that provide access to customer and employee personal data, should be a major priority along with a solid incident response plan and training on how to respond effectively and according to regulations and compliance requirements. Lastly, in today's threat environment, cybersecurity has to become everyone's responsibility. We need to empower our employees to be the strongest link because we are all on the front line and we need to ensure that everyone on the front line is educated and protected.   

Related Content:

 

Joseph Carson has more than 25 years' experience in enterprise security, is the author of Privileged Account Management for Dummies and Cybersecurity for Dummies, and is a cybersecurity professional and ethical hacker. Joseph is a cybersecurity adviser to several governments, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jdub161
50%
50%
jdub161,
User Rank: Apprentice
11/30/2017 | 10:58:53 PM
Cumulative CSO sackings
Great article Joseph, got me thinking about the cumulative effect of sacking CSO's.  Now some CSO's I know are nothing more than a glorified IT Security Manager and by not keeing Cyber on the strategic agenda have probably created their own demise.

However, if the 'standard' response to a major data breach is to sack the CSO to appease the markets & media after a time will we not get to a point where effective CSO's are also being chopped and not re-hired?  Does this lead us to a place where we are culling the very people from an industry that is already short-staffed?

 

Jason
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...