Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //

Security Executives Respond to Uber Breach News

The news from Uber is rippling across the business landscape. Executives and leaders have a variety of responses to the breach and its aftermath. Here's a roundup of some of those reactions.

So far, Uber is giving a master class in how not to deal with a major data breach in the just-revealed case of 57 million PII (name, email address and mobile phone number) records lost to hackers. The response to the revelation says a lot about the company and the state of privacy in modern business.

For those coming in late, here's a brief re-cap of the critical facts on this latest Uber data breach:

  • The breach occurred in 2016 but was not revealed until this week.
  • Approximately 600,000 driver's licenses were exposed as well.
  • Uber failed to notify any local or state governments of the compromise despite legal obligations to do so.
  • The company paid a ransom of $100,000 to the hackers to delete the breached information and keep the incident quiet.
  • The breach occurred because credentials were stored in plain text on a Github site used by engineers. The credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. The compromised data was kept in a backup repository.
  • At least four state attorneys general have already begun looking into the breach and its coverup.
  • At least one class-action lawsuit has already been filed in Los Angeles, with more suits anticipated.

Leaders and executives from other organizations are stepping up with their own comments on Uber and its actions. Many reactions have come in to the newsroom at Security Now. Those reactions range from comments on high-level strategy and corporate reputation to nuts-and-bolts suggestions for improving security. Here's a roundup of some of the more meaningful responses that have come in -- some of these have been edited for clarity and length.

Eyal Aharoni, COO, Cymulate:
"Although no credit card or social security numbers were compromised, it appears that they [Uber] did not deploy the appropriate security measures and controls that would be aligned with the standard requirements to keep this information safe.

"If we analyze some of the largest data breaches that organizations experienced in recent years, this breach could cost Uber over $50 million, besides the ransom of $100,000 which was reported as paid to the hackers. It's important to emphasize that if this breach had occurred under GDPR regulation, Uber could have been fined 4% of their revenues."

Chris Day, Chief Cybersecurity Officer, Cyxtera:
"Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event.

"This is a fairly 'vanilla' attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). For example in this case, the system could have required the hackers to present a one-time password before granting access to the server."

James Maude, Senior Security Engineer, Avecto:
"A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.

"There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security -- yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."

Zohar Alon, Co-Founder & CEO, Dome9:
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub." Jim Kennedy, Vice President, North America, Certes Networks:
"The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.

"Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage -- a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry."

Stephan Chenette, CEO & Co-Founder, AttackIQ:
"We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber." Asher de Metz, Security Consulting Manager, Sungard Availability Services:
"This is another example of companies missing the basics. AWS has the ability to utilize free multi factor authentication (MFA), so that even if a hacker has the password, without the one time code from the MFA, they aren’t getting in.

"It’s a disgrace that the chief of security tried to hide this breach. It's illegal and immoral. They left their drivers and customers unaware of this breach for a year. The lawsuits from this are going to be huge and I don’t see the chief of security getting another job in the field so quickly."

Morey Haber, Vice President, Technology, BeyondTrust:
"As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong... Just like a child, hopefully they have learned not to touch a hot stove. They just plainly acted like irresponsible children."

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.