Following on from the controversy of Uberโs licence to operate in London being suspended due to a lack of corporate responsibility, news has broken today that Uber suffered a massive data breach in 2016. But worse than this is the subsequent cover-up perpetrated by Uberโs management coupled with the fact that they paid the hackers $100,000 to, โdelete the data [and] keep quiet.โ
Joe Sullivan, who was lured from Facebook in 2015 to be Uberโs security chief has been sacked as a result.
James Lyne, Sophosโ Cyber Security Advisor has said, โUber isn’t the only and won’t be the last company to hide a data breach or cyber attack. Not notifying consumers put them at greater risk of being victimized by fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.โ
The attack, which happened in October 2016, included names, email addresses and phone numbers of 50 million Uber riders from all around the world. The personal information of approximately 7 million drivers was accessed as well, including around 600,000 US driverโs licence numbers.
One positive note is that no social security numbers, credit card details or trip location details were stolen.
Uberโs programmers uploaded security credentials to a GitHub repository
It has transpired that Uberโs programmers uploaded security credentials to a GitHub repository โ from there it was elementary for the hackers to access Ubers servers hosted on Amazon.
Chester Wisniewski, Sophosโ Principal Research Scientist, has commented, โUber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually, organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts of the upcoming GDPR enforcement, this is just another development team with poor security practices that have shared credentials. Sadly, this is common more often than not in agile development environments.โ
Rik Ferguson, Vice President Security Research at Trend Micro has said that it is, โhearteningโ to see that Uberโs new management team have come clean about the breach, but he, โremains concernedโ at some of the wording in the blog of Mr Khosrowshahi which revealed the breach. Mr Ferguson continued, โ[Mr. Khosrowshahi] appears to distance Uberโs โcorporate systems and infrastructureโ from the โthird-party cloud-based serviceโ that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such – You canโt outsource accountability.”
Mr Fergusonโs final comment is especially relevant following the news last week regarding Cash Converterโs own breach โ again the blame for the breach was initially placed on a third party rather than responsibility for the failure being taken on board.
Further breaches are certainly bound to happen in future โ industry analysts will surely be watching and listening for which companies are brave enough to accept accountability and which will continue to try and shift the blame. It is for the leaders of all kinds of businesses that look after personal data to take note of the recent headlines and start a culture shift acknowledging that responsibility cannot be passed on when failures like this occur.
Head of #Digital #Innovation @CompareTheCloud - Every Day #Creating #SilverLinings.