Following the announcement that Uber has been fined £385,000 by the ICO over ‘a series of avoidable data security flaws’ which allowed hackers to collect sensitive information on 2.7 million customers, IT security experts commented below.
Rich Campagna, CMO at Bitglass:
“This fine shows that even the most prominent public organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organisations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”
Stephen Moore, Chief Security Strategist at Exabeam:
“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts. To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour–to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents.”
Luke Brown, VP EMEA at WinMagic:
“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that Uber hadn’t deployed encryption technology across all its platforms and environments. It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place. Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack.”
Jake Moore, Cyber Security Expert at ESET UK:
“Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’. Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords. An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals. There is no doubt that this fine would be higher if it had been post GDPR.”
Tim Erlin, VP at Tripwire:
“The ICO has previously demonstrated a willingness to fine organizations in circumstances like this, though it remains unclear whether such fines make a material difference in the overall security across industries. While this incident pre-dates the GDPR, fines like these must now be viewed in light of the more expansive regulations that have come into force. It’s important to remember that GDPR isn’t the first regulation to address security and data privacy. GDPR is designed to harmonize and update a disparate set of regulations across the EU. While GDPR provides the framework for significant fines, they are maximums, not minimums. The actual fines levied will be situationally determined.”
Javvad Malik, Security Advocate at AlienVault:
“The Uber fine shouldn’t come as a surprise to anyone that has been following the story. The company had inadequate protective and detective security controls. To make matters worse, the company tried to cover up the breach and paid money to keep things quiet, and in the process exposed its customers. While breaches are an unfortunate cost of doing business these days, it’s how a company acts in response that can make the difference between a large fine and a warning.”
.
Martin Jartelius, CSO at Outpost24:
“Taking into account the substantial impact of this breach and the way it was handled by Uber, this is also a good example of why GDPR is of importance to us all. We may not be protected from those recurring breaches, but customers and end users have a right to know when companies have failed to meet their obligation to protect our information.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.