The information security industry is in shock after Uber confessed to a massive data breach affecting 57 million customers and drivers around the globe, which it concealed last year by paying off the hackers.
CEO Dara Khosrowshahi claimed the incident happened in late 2016 when two individuals “inappropriately accessed user data stored on a third-party cloud-based service that we use.”
Data stolen included the names, email addresses and mobile phone numbers of 57 million Uber users globally, including 600,000 US drivers, who had their names and driver’s license numbers taken.
He said in a statement yesterday:
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded…
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Khosrowshahi has taken firm action related to the controversial company’s attempts to hush the incident up last year, including sacking its chief security officer, Joe Sullivan, and a deputy.
He’s currently asking former NSA general counsel Matt Olsen, now a consultant, for help with Uber’s security strategy, and has notified and provided affected drivers with free credit monitoring and ID protection. No such protection is being offered for riders, although Uber says it is monitoring affected accounts.
The attack occurred after two hackers managed to access a private GitHub coding site used by Uber engineers, and then used log-ins they found there to access the Amazon Web Services repository that handled “computing tasks” for the company, according to Bloomberg. From there, they pivoted to the highly prized customer/driver data.
Khosrowshahi concluded:
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Following the revelations, New York Attorney General Eric Schneiderman has launched an investigation and class action lawsuits are said to have already been filed for alleged negligence.
Jeremiah Grossman, chief of security strategy at SentinelOne, argued that GitHub is a major source of risk for firms.
“It's difficult, if not impossible, for an organization to lock down this vector. Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed,” he added. “While traditional security controls remain crucial to organizational security, it's no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.”
Others argued the incident proves why password-based systems are no longer fit-for-purpose.
“A serious error on Uber’s part was storing the keys to its data store on a GitHub code repository which the attackers could access,” said Avecto senior security engineer, James Maude. “This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.”
Jason Hart, CTO of data protection at Gemalto, claimed two things should have been done better by Uber: “faster disclosure and better use of encryption for the entire data lifecycle”.
“Delay in disclosing erodes trust, and it belies the fact that breaches like this, that access your data via cloud services, are inevitable,” he added.
There are also question marks around whether the hackers have kept their word and deleted all the stolen data, according to Webroot director of threat research, David Kennerley
“The fact is there is absolutely no guarantee the hackers didn't create multiple copies of the stolen data for future extortion or to sell on further down the line,” he argued.
Trend Micro VP of security research, Rik Ferguson agreed, explaining that “digital theft does not work the same way as in the physical world, you can never ‘buy back the negatives’ once data has been stolen”.
“I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s ‘corporate systems and infrastructure’ from the ‘third-party cloud-based service’ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such,” he added.
“You can’t outsource accountability."
Many others have warned that Uber would be on the hook for huge fines had the incident happened after May 25 next year, when the GDPR comes into force.
Dean Armstrong, barrister at Setfords Solicitors, said “the UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event.”
“As Uber hasn't released its figures we can't speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions,” he added.