News broke overnight that the ride hailing giant Uber have disclosed a data breach that they previously attempted to cover up, taking place in 2016. The breach involved the data of 57 million users being stolen, and the company subsequently paying hackers £75,000 to delete the data. IT security experts commented below.
Zohar Alon, Co-Founder and CEO at Dome9:
.
Manoj Asnani, VP Product and Design at Balbix:
.
Stephan Chenette, CEO and Co-Founder at AttackIQ:
.
.
Ryan Wilk, Vice President of Customer Success at NuData Security:
.
.
Jeremiah Grossman, Chief of Security Strategy at SentinelOne:
As consumers, we can do everything we can to maintain the security and privacy of your data on your devices. But what good is it if thousands of companies have access to your data and they get hacked? It feels like a no-win situation. Organisations like Uber have a social responsibility not only to do their best to protect the data they control, but to be transparent with their users about the risks to their identity. How an organisation responds to a breach is what really separates the good from the bad, and some handle the situation far better than others in prioritising what’s in their customers best interests. Kudos for Uber’s new CEO to come clean on the events of the past, but it still doesn’t immediately absolve the company’s actions.”
Ken Spinner, VP of Field Engineering at Varonis:
The breach, at this point, could have resulted from a single point of failure. All it took was one developer making a mistake by checking a password into GitHub. Why does that password unlock so many sensitive records? These kinds of slip-ups are frequently surfaced during internal pen tests or third-party security audits. This point of failure raises the question: are Uber employees required to use 2FA for key applications like GitHub? Many attacks nowadays originate from compromised credentials; businesses need to ensure that hacking one employee’s account doesn’t unlock such a wide array of sensitive data.
This latest breach du jour is going to fire up already angry consumers, who are going to demand action and protection. Every state attorney general is going to be salivating at the prospect of suing Uber. While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made – often it’s when a set number of users have been affected. No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year. This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”
Andy Norton, Director of Threat Intelligence at Lastline:
Additionally the timing is important. Firstly the disclosure shows the new CEO sending a clear message that ethically questionable business is not entertained, and secondly because the disclosure arrives before the deadline of GDPR, for which this kind of breach would be a poster child example. Based on 2016 revenues Uber would be looking at a $65 million fine, 4% of revenue if European customer data was in the breached database under GDPR.”
Terry Ray, CTO at Imperva:
This appears to be a prime example of good intentions gone bad. Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon. The problem begins with why live production data was used in an online platform where credentials were available in github.
Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.
Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.
There have been data masking solutions available for more than a decade that transform production data into ‘like’ production data for development and testing purposes, thereby fully eliminating this risk, yet some don’t take such best practices or even fundamental security practices into consideration before asking for and using the public’s data. Uber is not alone, as many of these articles point out, they are simply this week’s hot breach due to the scope of the exposed data and the way they handled the incident.
In the digital age, it is common in organizations that many employees and affiliates need access to a large amount of the company’s data simply to do their job. Thus, controlling data access becomes one of the most challenging tasks of security officers.
The result is that most certainly, there will be another breach next week”
.Josh Mayfield, Director at Firemon:
It stands to reason that if Uber cannot keep its data secure, it is time to start thinking differently. Businesses and cyber threats move at a break-neck speed, making it increasingly difficult to keep pace with the latest malware mutations and cyberattack tactics.
It is not from lack of investment that data breaches happen. But the investments do not reflect the security intent into the most valuable information assets. Anyone can become cyber-resilient with the concerted discipline to focus on assets and form global policy controls, informed by security intent.
In a business like Uber, where you have computing resources flying around the world, in-and-out of clouds, you have a security policy that follows the system – protecting it no matter where it goes.”
Raj Samani, Chief Scientist and Fellow at McAfee:
In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”
Javvad Malik, Security Advocate at AlienVault:
If a company is informed of a breach by criminals or a third party, it is too late to take any mitigating actions, leaving it exposed to the mercy of the attackers, partners, customers, employees, and regulators.
Simon Townsend, Chief Technologist – EMEA at Ivanti:
Lots of people will question how this breach occurred and what could have been done to prevent it. Reports suggest that the breach took place because hackers were able to access Uber’s log-in credentials to Amazon Web Services which were, for some reason, available on a private area of GitHub. It doesn’t seem right that Uber, a company commonly regarded as THE digital transformation company, seemingly forgot the basics of traditional IT and failed to provide proper governance over an area of their business like the R&D department who were using cloud tools. Ultimately, when it comes to security and IT, it’s vital to get the basics right first – otherwise your technological innovations will be built on incredibly weak foundations. However, the real issue here is that Uber showed a blatant disregard for their employees’ and customers’ data by trying to cover up the breach, and that the breach has only been reported to the public a year after it occurred.
EU GDPR is trying to help organisations realise the importance of data protection come May 2018. “Doing an Uber” will be unacceptable so organisations need to be working overtime now to get their technology, people and processes ready for compliance.
Etienne Greeff, CTO and Co-Founder at SecureData:
“The final two nails in the coffin however, is the $100,000 dollar ‘ransom’ paid for the stolen data to be deleted, and the covering up of this breach in the first place. What’s more is that this isn’t the first time Uber have been in the spotlight for not reporting a breach – this first happened in 2016 for a breach in 2014. There is evidently something wrong here. Firstly there seemed to be no strong authentication, merely a password, for data stored on cloud infrastructure, and also the use of public cloud to store this incredibly confidential information, without the proper controls in place – frankly it’s staggering.
“Credit should, however, be given to Dara Khosrowshahi for both firing the Chief Security Officer, and promising to look into this properly whilst making no excuses for it – as there are none to be made. Login details were used, and unencrypted data was stolen, and subsequently covered up. In short, this is shambolic security practice and shows a blatant disregard for even the most basic principles of cybersecurity hygiene. This also plays into a trend that we are seeing where hackers will blackmail victims saying that a hack will not be disclosed if a ransom is paid. This is merely another way of monetising hacking which will only get worse when GDPR comes into full effect. This should serve as a lesson to other businesses about how to be more prompt and forthcoming with action against cybercrime.”
Dr Guy Bunker, SVP of Products at Clearswift:
What’s more, having to disclose a cover up is far worse than disclosing a data breach. Damage to reputation and distrust amongst customer and employee bases can be experienced affecting the brand and often revenue, long after the incident occurred.
In these situations, there is a process that organisations should follow for communicating a data breach or attack. Initially the staff should be informed and told who they should direct questions to. In conjunction to this, the Board, shareholders and authorities, such as the Information Commissioner’s Office, should be informed. While this is happening, more details should be uncovered in order to start to inform those who will be impacted by the breach before finally going out to the media and others who might not be directly impacted (such as all customers rather than the impacted subset).
After the initial critical communications, it is important to keep the communication flow going, through to resolution. People like to be reassured that it has not been forgotten. Regular communications should be sent to employees and stakeholders with resolution updates, perhaps around new policies or the introduction of new technologies to help prevent a breach from happening again. Even after that, there will probably need to be continued reporting (for several years) to the company auditors and authorities to show that things have improved and there have been no more incidents.
Robin Tombs, CEO at Yoti:
“Businesses can protect themselves and consumers by encrypting data more effectively and by minimising the amount of sensitive data they ask for. We believe individuals controlling their own digital identities, will help protect them, their data and make it faster and easier to do trusted business online.”
Csaba Krasznay, Security Evangelist at Balabit:
Professional cyber-criminals have a multitude of techniques to hack privileged account credentials, so if organizations really want to mitigate the risk of a breach they have to put in place technology that monitors behavior after the point of authentication. In other words, we have to assume that hackers are already inside the system, and look for triggers that can point to a malicious presence on the network. Passwords alone provide a very thin level of cyber-defense against today’s hackers.
These countermeasures should be kept in mind even in a DevOps environment, as these resources are becoming an increasingly popular target for cybercriminals.
Amit Yoran, CEO at Tenable:
.
Matt Walmsley, EMEA Director at Vectra:
“Customers no longer tolerate excuses that organisations are unable to produce a full disclosure following a data breach. They expect businesses to alert them immediately of any personal data breach and provide a full analysis of the incident. More importantly, they want to be reminded of any possible consequences that may follow as a result of stolen data, and what assistance is available to them.
“Time and time again we see that all defences are imperfect. The onus needs to be on understanding an organisation’s cyber risk posture and cyber readiness. Not only in the abstract, but the real-time threat level and any in-progress attacks. We’re now at a time where artificial intelligence needs to be introduced to identify and respond to threats automatically and in real-time, a task that humans alone are simply incapable of performing at adequate scale and speed.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.