theDocumentId => 738459 Security Executives Respond to Uber Breach News

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

11/22/2017
02:36 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Curt Franklin
50%
50%

Security Executives Respond to Uber Breach News

The news from Uber is rippling across the business landscape. Executives and leaders have a variety of responses to the breach and its aftermath. Here's a roundup of some of those reactions.

So far, Uber is giving a master class in how not to deal with a major data breach in the just-revealed case of 57 million PII (name, email address and mobile phone number) records lost to hackers. The response to the revelation says a lot about the company and the state of privacy in modern business.

For those coming in late, here's a brief re-cap of the critical facts on this latest Uber data breach:

  • The breach occurred in 2016 but was not revealed until this week.
  • Approximately 600,000 driver's licenses were exposed as well.
  • Uber failed to notify any local or state governments of the compromise despite legal obligations to do so.
  • The company paid a ransom of $100,000 to the hackers to delete the breached information and keep the incident quiet.
  • The breach occurred because credentials were stored in plain text on a Github site used by engineers. The credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. The compromised data was kept in a backup repository.
  • At least four state attorneys general have already begun looking into the breach and its coverup.
  • At least one class-action lawsuit has already been filed in Los Angeles, with more suits anticipated.

Leaders and executives from other organizations are stepping up with their own comments on Uber and its actions. Many reactions have come in to the newsroom at Security Now. Those reactions range from comments on high-level strategy and corporate reputation to nuts-and-bolts suggestions for improving security. Here's a roundup of some of the more meaningful responses that have come in -- some of these have been edited for clarity and length.

Eyal Aharoni, COO, Cymulate:
"Although no credit card or social security numbers were compromised, it appears that they [Uber] did not deploy the appropriate security measures and controls that would be aligned with the standard requirements to keep this information safe.

"If we analyze some of the largest data breaches that organizations experienced in recent years, this breach could cost Uber over $50 million, besides the ransom of $100,000 which was reported as paid to the hackers. It's important to emphasize that if this breach had occurred under GDPR regulation, Uber could have been fined 4% of their revenues."

Chris Day, Chief Cybersecurity Officer, Cyxtera:
"Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event.

"This is a fairly 'vanilla' attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). For example in this case, the system could have required the hackers to present a one-time password before granting access to the server."

James Maude, Senior Security Engineer, Avecto:
"A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.

"There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security -- yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."

Zohar Alon, Co-Founder & CEO, Dome9:
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub." Jim Kennedy, Vice President, North America, Certes Networks:
"The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.

"Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage -- a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry."

Stephan Chenette, CEO & Co-Founder, AttackIQ:
"We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber." Asher de Metz, Security Consulting Manager, Sungard Availability Services:
"This is another example of companies missing the basics. AWS has the ability to utilize free multi factor authentication (MFA), so that even if a hacker has the password, without the one time code from the MFA, they aren’t getting in.

"It’s a disgrace that the chief of security tried to hide this breach. It's illegal and immoral. They left their drivers and customers unaware of this breach for a year. The lawsuits from this are going to be huge and I don’t see the chief of security getting another job in the field so quickly."

Morey Haber, Vice President, Technology, BeyondTrust:
"As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong... Just like a child, hopefully they have learned not to touch a hot stove. They just plainly acted like irresponsible children."

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...
CVE-2021-25808
PUBLISHED: 2021-07-23
A code injection vulnerability in backup/plugin.php of Bludit 3.13.1 allows attackers to execute arbitrary code via a crafted ZIP file.