Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //

Security Executives Respond to Uber Breach News

The news from Uber is rippling across the business landscape. Executives and leaders have a variety of responses to the breach and its aftermath. Here's a roundup of some of those reactions.

So far, Uber is giving a master class in how not to deal with a major data breach in the just-revealed case of 57 million PII (name, email address and mobile phone number) records lost to hackers. The response to the revelation says a lot about the company and the state of privacy in modern business.

For those coming in late, here's a brief re-cap of the critical facts on this latest Uber data breach:

  • The breach occurred in 2016 but was not revealed until this week.
  • Approximately 600,000 driver's licenses were exposed as well.
  • Uber failed to notify any local or state governments of the compromise despite legal obligations to do so.
  • The company paid a ransom of $100,000 to the hackers to delete the breached information and keep the incident quiet.
  • The breach occurred because credentials were stored in plain text on a Github site used by engineers. The credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. The compromised data was kept in a backup repository.
  • At least four state attorneys general have already begun looking into the breach and its coverup.
  • At least one class-action lawsuit has already been filed in Los Angeles, with more suits anticipated.

Leaders and executives from other organizations are stepping up with their own comments on Uber and its actions. Many reactions have come in to the newsroom at Security Now. Those reactions range from comments on high-level strategy and corporate reputation to nuts-and-bolts suggestions for improving security. Here's a roundup of some of the more meaningful responses that have come in -- some of these have been edited for clarity and length.

Eyal Aharoni, COO, Cymulate:
"Although no credit card or social security numbers were compromised, it appears that they [Uber] did not deploy the appropriate security measures and controls that would be aligned with the standard requirements to keep this information safe.

"If we analyze some of the largest data breaches that organizations experienced in recent years, this breach could cost Uber over $50 million, besides the ransom of $100,000 which was reported as paid to the hackers. It's important to emphasize that if this breach had occurred under GDPR regulation, Uber could have been fined 4% of their revenues."

Chris Day, Chief Cybersecurity Officer, Cyxtera:
"Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event.

"This is a fairly 'vanilla' attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). For example in this case, the system could have required the hackers to present a one-time password before granting access to the server."

James Maude, Senior Security Engineer, Avecto:
"A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.

"There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security -- yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."

Zohar Alon, Co-Founder & CEO, Dome9:
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub." Jim Kennedy, Vice President, North America, Certes Networks:
"The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.

"Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage -- a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry."

Stephan Chenette, CEO & Co-Founder, AttackIQ:
"We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber." Asher de Metz, Security Consulting Manager, Sungard Availability Services:
"This is another example of companies missing the basics. AWS has the ability to utilize free multi factor authentication (MFA), so that even if a hacker has the password, without the one time code from the MFA, they aren’t getting in.

"It’s a disgrace that the chief of security tried to hide this breach. It's illegal and immoral. They left their drivers and customers unaware of this breach for a year. The lawsuits from this are going to be huge and I don’t see the chief of security getting another job in the field so quickly."

Morey Haber, Vice President, Technology, BeyondTrust:
"As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong... Just like a child, hopefully they have learned not to touch a hot stove. They just plainly acted like irresponsible children."

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file