News broke overnight that the ride hailing giant Uber have disclosed a data breach that they previously attempted to cover up, taking place in 2016. The breach involved the data of 57 million users being stolen, and the company subsequently paying hackers £75,000 to delete the data. IT security experts commented below.
Zohar Alon, Co-Founder and CEO at Dome9:
“This is yet another case of user error trumping the best security measures readily available today. For an organization as large as Uber, this is inexplicable. There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub. Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”
.
Manoj Asnani, VP Product and Design at Balbix:
“Stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data. Most security solutions do not provide visibility into breach risk from password reuse. Predictive security solutions can look at the password behavior of users – including sharing of passwords across personal and corporate use – and flag that risk. With this kind of a solution, Uberwould have been able to see developers sharing the same passwords for Github and AWS accounts and taken action to prevent this breach.”
.
Stephan Chenette, CEO and Co-Founder at AttackIQ:
“We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber. What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”
.
.
Ryan Wilk, Vice President of Customer Success at NuData Security:
“While the news of the Uber breach is never something you want to hear, it is refreshing to see a company taking such quick and decisive action to earn back the consumers trust. Uber CEO Dara Khosrowshahi’s statement that there is no excuse for what happened and that Uber will be putting integrity and trust at the core of every business decision is a welcome message.”
.
.
Jeremiah Grossman, Chief of Security Strategy at SentinelOne:
“Who needs exploits when GitHub exists? Github is a major source of risk for companies. It’s difficult, if not impossible, for an organisation to lock down this vector. Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed. While traditional security controls remain crucial to organisational security, it’s no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.
As consumers, we can do everything we can to maintain the security and privacy of your data on your devices. But what good is it if thousands of companies have access to your data and they get hacked? It feels like a no-win situation. Organisations like Uber have a social responsibility not only to do their best to protect the data they control, but to be transparent with their users about the risks to their identity. How an organisation responds to a breach is what really separates the good from the bad, and some handle the situation far better than others in prioritising what’s in their customers best interests. Kudos for Uber’s new CEO to come clean on the events of the past, but it still doesn’t immediately absolve the company’s actions.”
Ken Spinner, VP of Field Engineering at Varonis:
“One of the reasons often cited for why these massive data breaches keep happening is that the penalties aren’t incentivising companies to adequately protect their data. When GDPR kicks in next May, companies that handle EU citisen data will be faced with much stiffer penalties and a 72-hour disclosure window. To give perspective: under GDPR-level penalties, Uber could be fined up to $650,000,0000 for this breach (4% of their $6.5 billion revenue number for 2016). That’s a far cry from what we’re seeing now: they were breached in 2014 and fined $20,000 by the state of NY – not a deterrent at all for a company that makes billions of dollars.
The breach, at this point, could have resulted from a single point of failure. All it took was one developer making a mistake by checking a password into GitHub. Why does that password unlock so many sensitive records? These kinds of slip-ups are frequently surfaced during internal pen tests or third-party security audits. This point of failure raises the question: are Uber employees required to use 2FA for key applications like GitHub? Many attacks nowadays originate from compromised credentials; businesses need to ensure that hacking one employee’s account doesn’t unlock such a wide array of sensitive data.
This latest breach du jour is going to fire up already angry consumers, who are going to demand action and protection. Every state attorney general is going to be salivating at the prospect of suing Uber. While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made – often it’s when a set number of users have been affected. No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year. This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”
Andy Norton, Director of Threat Intelligence at Lastline:
“The disclosure of the 2016 data breach at Uber, pre GDPR, is very timely, and hopefully will act as a warning for other companies who get extortion demands from hackers. Do not pay the ransom, and do not cover up the breach of personally identifiable data on customers and employees. It appears the new CEO at has proactively decided to disclose the 2016 breach, probably for the purposes of building a foundation on which to establish a solid reputation for strong governance and balanced risk management. Two things that will be essential to Uber in continuing as a viable company and attracting investors at a public offering.
Additionally the timing is important. Firstly the disclosure shows the new CEO sending a clear message that ethically questionable business is not entertained, and secondly because the disclosure arrives before the deadline of GDPR, for which this kind of breach would be a poster child example. Based on 2016 revenues Uber would be looking at a $65 million fine, 4% of revenue if European customer data was in the breached database under GDPR.”
Terry Ray, CTO at Imperva:
“As reports have noted, the hack wasn’t sophisticated — the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info, according to the report.
This appears to be a prime example of good intentions gone bad. Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon. The problem begins with why live production data was used in an online platform where credentials were available in github.
Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.
Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.
There have been data masking solutions available for more than a decade that transform production data into ‘like’ production data for development and testing purposes, thereby fully eliminating this risk, yet some don’t take such best practices or even fundamental security practices into consideration before asking for and using the public’s data. Uber is not alone, as many of these articles point out, they are simply this week’s hot breach due to the scope of the exposed data and the way they handled the incident.
In the digital age, it is common in organizations that many employees and affiliates need access to a large amount of the company’s data simply to do their job. Thus, controlling data access becomes one of the most challenging tasks of security officers.
The result is that most certainly, there will be another breach next week”
.Josh Mayfield, Director at Firemon:
“In the wake of the most recent cyberattack hitting rideshare service, Uber, makes clear the relevance for security in hyper-growth companies. Often, organizations experiencing a meteoric rise, fail to keep up with security disciplines that can lead to, say…50 million customer records being stolen.
It stands to reason that if Uber cannot keep its data secure, it is time to start thinking differently. Businesses and cyber threats move at a break-neck speed, making it increasingly difficult to keep pace with the latest malware mutations and cyberattack tactics.
It is not from lack of investment that data breaches happen. But the investments do not reflect the security intent into the most valuable information assets. Anyone can become cyber-resilient with the concerted discipline to focus on assets and form global policy controls, informed by security intent.
In a business like Uber, where you have computing resources flying around the world, in-and-out of clouds, you have a security policy that follows the system – protecting it no matter where it goes.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect. Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this.
In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”
Javvad Malik, Security Advocate at AlienVault:
Companies of all sizes are constantly under attack. This isn’t just to obtain financial details, but customer or employee details, and even intellectual property. Against unrelenting attacks, security defences will ultimately be bypassed at some point. It is why investing in monitoring and threat detection, complimented by threat intelligence is of the utmost importance for companies so that any intrusions can be quickly identified and responded to so minimise the impact.
If a company is informed of a breach by criminals or a third party, it is too late to take any mitigating actions, leaving it exposed to the mercy of the attackers, partners, customers, employees, and regulators.
Simon Townsend, Chief Technologist – EMEA at Ivanti:
It is arguably morally incorrect and unacceptable in today’s world for an organisation, particularly one as widely used as Uber, to not only delay reporting a data breach, but to actually attempt to cover it up! Come May 25th next year, the General Data Protection Regulation (GDPR) will mean that all organisations that deal with EU citizens’ data will need to report a breach within 72 hours or risk being fined up to €20m or 4% of their annual turnover, whichever is larger. Considering that Uber’s revenue last year came to $6.5billion, they’d be at risk of being fined $260million.
Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place because hackers were able to access Uber’s log-in credentials to Amazon Web Services which were, for some reason, available on a private area of GitHub. It doesn’t seem right that Uber, a company commonly regarded as THE digital transformation company, seemingly forgot the basics of traditional IT and failed to provide proper governance over an area of their business like the R&D department who were using cloud tools. Ultimately, when it comes to security and IT, it’s vital to get the basics right first – otherwise your technological innovations will be built on incredibly weak foundations. However, the real issue here is that Uber showed a blatant disregard for their employees’ and customers’ data by trying to cover up the breach, and that the breach has only been reported to the public a year after it occurred.
EU GDPR is trying to help organisations realise the importance of data protection come May 2018. “Doing an Uber” will be unacceptable so organisations need to be working overtime now to get their technology, people and processes ready for compliance.
Etienne Greeff, CTO and Co-Founder at SecureData:
“The news today that Uber have covered up a significant data breach is, unfortunately, unsurprising. It is also, yet another textbook example, following from Equifax earlier in the year and Yahoo before that, of how not to handle this type of incident. Over 600,000 US drivers’ license numbers, 50 million riders email addresses, phone numbers, and names, and personal information of 7million drivers were downloaded. Whilst not on the same magnitude of the previous examples, it goes to show that big business seems to care far more about covering its own back than the people’s data that is compromised.
“The final two nails in the coffin however, is the $100,000 dollar ‘ransom’ paid for the stolen data to be deleted, and the covering up of this breach in the first place. What’s more is that this isn’t the first time Uber have been in the spotlight for not reporting a breach – this first happened in 2016 for a breach in 2014. There is evidently something wrong here. Firstly there seemed to be no strong authentication, merely a password, for data stored on cloud infrastructure, and also the use of public cloud to store this incredibly confidential information, without the proper controls in place – frankly it’s staggering.
“Credit should, however, be given to Dara Khosrowshahi for both firing the Chief Security Officer, and promising to look into this properly whilst making no excuses for it – as there are none to be made. Login details were used, and unencrypted data was stolen, and subsequently covered up. In short, this is shambolic security practice and shows a blatant disregard for even the most basic principles of cybersecurity hygiene. This also plays into a trend that we are seeing where hackers will blackmail victims saying that a hack will not be disclosed if a ransom is paid. This is merely another way of monetising hacking which will only get worse when GDPR comes into full effect. This should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Dr Guy Bunker, SVP of Products at Clearswift:
As is the case with these kinds of attacks, a key error is engaging with these people or providing payment, as has happened here. They are after all, criminals. There is certainly no guarantee that you will get your data back or in this case, that the information will definitely be deleted. There is also no guarantee that you won’t be re-infected in a couple of weeks’ time when, what is most likely a piece of hidden malware, is reactivated. You’re dealing with criminals and it is far from likely that they are going to behave honourably.
What’s more, having to disclose a cover up is far worse than disclosing a data breach. Damage to reputation and distrust amongst customer and employee bases can be experienced affecting the brand and often revenue, long after the incident occurred.
In these situations, there is a process that organisations should follow for communicating a data breach or attack. Initially the staff should be informed and told who they should direct questions to. In conjunction to this, the Board, shareholders and authorities, such as the Information Commissioner’s Office, should be informed. While this is happening, more details should be uncovered in order to start to inform those who will be impacted by the breach before finally going out to the media and others who might not be directly impacted (such as all customers rather than the impacted subset).
After the initial critical communications, it is important to keep the communication flow going, through to resolution. People like to be reassured that it has not been forgotten. Regular communications should be sent to employees and stakeholders with resolution updates, perhaps around new policies or the introduction of new technologies to help prevent a breach from happening again. Even after that, there will probably need to be continued reporting (for several years) to the company auditors and authorities to show that things have improved and there have been no more incidents.
Robin Tombs, CEO at Yoti:
“Today’s revelation about the latest Uber hack is a shocking demonstration of poor practice when it comes to keeping data safe. Given the ever-growing number of high profile data breaches like this, which affected up to 57 million people, it’s no surprise that most consumers are increasingly worried about sharing their personal data. People have to trust that both big and small businesses will secure their information and not let it fall into the wrong hands; but with countless stories of data leaks, often from well-known brands like Uber, it’s no wonder this trust has gone.
“Businesses can protect themselves and consumers by encrypting data more effectively and by minimising the amount of sensitive data they ask for. We believe individuals controlling their own digital identities, will help protect them, their data and make it faster and easier to do trusted business online.”
Csaba Krasznay, Security Evangelist at Balabit:
In the case of the Uber data breach, it has been reported that the hackers were able to access a private area of Github, and from there, gain Uber’s log in credentials to Amazon Web Services – the area where Uber stored this data. It is a well established security best practice to implement a formal password policy for privileged accounts, including changing default passwords as a matter of course, but the truth is, this is no more than a first line of defense.
Professional cyber-criminals have a multitude of techniques to hack privileged account credentials, so if organizations really want to mitigate the risk of a breach they have to put in place technology that monitors behavior after the point of authentication. In other words, we have to assume that hackers are already inside the system, and look for triggers that can point to a malicious presence on the network. Passwords alone provide a very thin level of cyber-defense against today’s hackers.
These countermeasures should be kept in mind even in a DevOps environment, as these resources are becoming an increasingly popular target for cybercriminals.
Amit Yoran, CEO at Tenable:
“The Uber hack is just the latest example of a widespread culture of lackadaisical cyber practices and a lack of executive accountability – this mischaracterizes corporate risk and cripple cybersecurity efforts. Executives and organisations must be held accountable for both exercising a reasonable standard of care to protect their systems and their data and for discovering and disclosing breaches in a timely manner.”
.
Matt Walmsley, EMEA Director at Vectra:
“Uber has suffered yet another blow due to their failure to accurately identify the scale of this data breach. This is not a unique case though, as every day organisations around the world struggle to keep up with their cyber due diligence and corporate transparency.”
“Customers no longer tolerate excuses that organisations are unable to produce a full disclosure following a data breach. They expect businesses to alert them immediately of any personal data breach and provide a full analysis of the incident. More importantly, they want to be reminded of any possible consequences that may follow as a result of stolen data, and what assistance is available to them.
“Time and time again we see that all defences are imperfect. The onus needs to be on understanding an organisation’s cyber risk posture and cyber readiness. Not only in the abstract, but the real-time threat level and any in-progress attacks. We’re now at a time where artificial intelligence needs to be introduced to identify and respond to threats automatically and in real-time, a task that humans alone are simply incapable of performing at adequate scale and speed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.