Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/22/2017
02:36 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Security Executives Respond to Uber Breach News

The news from Uber is rippling across the business landscape. Executives and leaders have a variety of responses to the breach and its aftermath. Here's a roundup of some of those reactions.

So far, Uber is giving a master class in how not to deal with a major data breach in the just-revealed case of 57 million PII (name, email address and mobile phone number) records lost to hackers. The response to the revelation says a lot about the company and the state of privacy in modern business.

For those coming in late, here's a brief re-cap of the critical facts on this latest Uber data breach:

  • The breach occurred in 2016 but was not revealed until this week.
  • Approximately 600,000 driver's licenses were exposed as well.
  • Uber failed to notify any local or state governments of the compromise despite legal obligations to do so.
  • The company paid a ransom of $100,000 to the hackers to delete the breached information and keep the incident quiet.
  • The breach occurred because credentials were stored in plain text on a Github site used by engineers. The credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. The compromised data was kept in a backup repository.
  • At least four state attorneys general have already begun looking into the breach and its coverup.
  • At least one class-action lawsuit has already been filed in Los Angeles, with more suits anticipated.

Leaders and executives from other organizations are stepping up with their own comments on Uber and its actions. Many reactions have come in to the newsroom at Security Now. Those reactions range from comments on high-level strategy and corporate reputation to nuts-and-bolts suggestions for improving security. Here's a roundup of some of the more meaningful responses that have come in -- some of these have been edited for clarity and length.

Eyal Aharoni, COO, Cymulate:
"Although no credit card or social security numbers were compromised, it appears that they [Uber] did not deploy the appropriate security measures and controls that would be aligned with the standard requirements to keep this information safe.

"If we analyze some of the largest data breaches that organizations experienced in recent years, this breach could cost Uber over $50 million, besides the ransom of $100,000 which was reported as paid to the hackers. It's important to emphasize that if this breach had occurred under GDPR regulation, Uber could have been fined 4% of their revenues."

Chris Day, Chief Cybersecurity Officer, Cyxtera:
"Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event.

"This is a fairly 'vanilla' attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). For example in this case, the system could have required the hackers to present a one-time password before granting access to the server."

James Maude, Senior Security Engineer, Avecto:
"A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.

"There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security -- yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."

Zohar Alon, Co-Founder & CEO, Dome9:
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub." Jim Kennedy, Vice President, North America, Certes Networks:
"The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.

"Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage -- a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry."

Stephan Chenette, CEO & Co-Founder, AttackIQ:
"We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber." Asher de Metz, Security Consulting Manager, Sungard Availability Services:
"This is another example of companies missing the basics. AWS has the ability to utilize free multi factor authentication (MFA), so that even if a hacker has the password, without the one time code from the MFA, they aren’t getting in.

"It’s a disgrace that the chief of security tried to hide this breach. It's illegal and immoral. They left their drivers and customers unaware of this breach for a year. The lawsuits from this are going to be huge and I don’t see the chief of security getting another job in the field so quickly."

Morey Haber, Vice President, Technology, BeyondTrust:
"As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong... Just like a child, hopefully they have learned not to touch a hot stove. They just plainly acted like irresponsible children."

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...