So far, Uber is giving a master class in how not to deal with a major data breach in the just-revealed case of 57 million PII (name, email address and mobile phone number) records lost to hackers. The response to the revelation says a lot about the company and the state of privacy in modern business.
For those coming in late, here's a brief re-cap of the critical facts on this latest Uber data breach:
- The breach occurred in 2016 but was not revealed until this week.
- Approximately 600,000 driver's licenses were exposed as well.
- Uber failed to notify any local or state governments of the compromise despite legal obligations to do so.
- The company paid a ransom of $100,000 to the hackers to delete the breached information and keep the incident quiet.
- The breach occurred because credentials were stored in plain text on a Github site used by engineers. The credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances that support Uber. The compromised data was kept in a backup repository.
- At least four state attorneys general have already begun looking into the breach and its coverup.
- At least one class-action lawsuit has already been filed in Los Angeles, with more suits anticipated.
Leaders and executives from other organizations are stepping up with their own comments on Uber and its actions. Many reactions have come in to the newsroom at Security Now. Those reactions range from comments on high-level strategy and corporate reputation to nuts-and-bolts suggestions for improving security. Here's a roundup of some of the more meaningful responses that have come in -- some of these have been edited for clarity and length.
Eyal Aharoni, COO, Cymulate:
"Although no credit card or social security numbers were compromised, it appears that they [Uber] did not deploy the appropriate security measures and controls that would be aligned with the standard requirements to keep this information safe.
"If we analyze some of the largest data breaches that organizations experienced in recent years, this breach could cost Uber over $50 million, besides the ransom of $100,000 which was reported as paid to the hackers. It's important to emphasize that if this breach had occurred under GDPR regulation, Uber could have been fined 4% of their revenues."
Chris Day, Chief Cybersecurity Officer, Cyxtera:
"Paying criminals to delete stolen data and failing to notify victims is disturbing on multiple levels. At a minimum, it flies in the face of ethics and transparency. It emboldens attackers and keeps the cybersecurity community from understanding techniques that could help other organizations prevent a similar attack. From a legal perspective, notification failure will inevitably cost the company dearly in terms of penalties and lawsuits. In fact, UK regulators are digging in already to understand the scope; which could trigger GDPR-related fines. The New York State Attorney General's office is also investigating the event.
"This is a fairly 'vanilla' attack in terms of its sophistication. It could have been prevented by locking down access using an approach like a software-defined perimeter (SDP). For example in this case, the system could have required the hackers to present a one-time password before granting access to the server."
James Maude, Senior Security Engineer, Avecto:
"A serious error on Uber's part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.
"There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security -- yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time."
Zohar Alon, Co-Founder & CEO, Dome9:
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub." Jim Kennedy, Vice President, North America, Certes Networks:
"The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it.
"Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage -- a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry."
Stephan Chenette, CEO & Co-Founder, AttackIQ:
"We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber." Asher de Metz, Security Consulting Manager, Sungard Availability Services:
"This is another example of companies missing the basics. AWS has the ability to utilize free multi factor authentication (MFA), so that even if a hacker has the password, without the one time code from the MFA, they aren’t getting in.
"It’s a disgrace that the chief of security tried to hide this breach. It's illegal and immoral. They left their drivers and customers unaware of this breach for a year. The lawsuits from this are going to be huge and I don’t see the chief of security getting another job in the field so quickly."
Morey Haber, Vice President, Technology, BeyondTrust:
"As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong... Just like a child, hopefully they have learned not to touch a hot stove. They just plainly acted like irresponsible children."
- Uber Loses Customer Data: Customers Yawn & Keep Riding
- Common Sense Means Rethinking NIST Password Rules
- New Research: Phishing Is Worse Than You Thought