Uber’s hack cover-up has brought the issues of increasing cybersecurity attacks and approaches of handling a security breach to the forefront on a global scale.
Uber Technologies CEO Dara Khosrowshahi admitted yesterday that hackers had stolen personal data of 57 million users stored in a third-party cloud-based service that the firm uses, towards late 2016. The company had kept the massive breach under wraps for over a year, adding to its growing list of scandals over the year. The ride-hailing firm removed its chief security officer and one of his deputies for their roles in concealing the breach, which included a $100,000 payment to the attackers to delete the stolen data.
Industry experts say Uber should have handled the incident more efficiently and not waited for so long to inform customers and authorities.
Dan Sloshberg, cyber resilience expert, Mimecast, says, “Uber had both the legal and social obligation to inform governments and customers of this attack, and the fact the company chose to pay hackers and hide the massive breach is shocking. Pretending that an attack hasn’t happened, or quietly paying attackers off only emboldens perpetrators further.”
James Lyne, Sophos cybersecurity advisor, says, “Uber isn’t the only and won’t be the last company to hide a data breach or cyber-attack. Uber’s hack cover-up puts consumers at greater risk of being victimised with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
According to Digital Shadows’ CTO and co-founder James Chappell, Uber’s data breach itself doesn’t come as a surprise. “While you could be surprised that such an effective architect of the digital world was not fully prepared for such an event, it does show that even the most tech-savvy businesses are open to the menace of data breaches and cyber-attacks.”
Sloshberg adds, “With the General Data Protection Regulation (GDPR) coming into effect in May 2018, businesses must report breaches within 72 hours or face crippling fines much bigger than what Uber paid to hackers.”
The European Union’s (EU) GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission aim to strengthen and unify data protection for all individuals within the EU. The GDPR states that penalty of up to 4 percent of a company’s annual turnover, and 20 million Euros as the maximum fine for non-compliance. This includes more serious offenses, including failure to attain client consent when processing data, or the violation of privacy.
“Businesses need to realise that the impact of breaches can be very serious with knock-on effects on the organisation itself, employees and customers. To combat threats and ensure they remain compliant ahead of the GDPR, organisations must invest in minimising their risk appropriately with an appropriate cyber resilience strategy. This should also include a plan if something does go wrong,” he explains.
According to Uber, the way the hack was conducted involved two attackers who accessed a private GitHub coding site used by the firm’s software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. The perpetrators then emailed Uber asking for money, according to the company.
Chappell says, “We don’t know the full picture of Uber’s hack yet, but their statement says that hackers accessed a ‘private’ area of GitHub, a web-based data hosting service used by the app developers. That likely means that the ‘private area’ should have been private, but was not for some reason. Or it could mean that ‘private area’ is behind the GitHub login pages and some sort of compromise of GitHub must have occurred, most likely by credential stuffing or keylogging.”
He says, either way, what is absolutely certain is that “this sort of attack should have been spotted sooner and ideally before significant data had been extracted.”
According to Chappell, if basic login details were stolen, this is something Uber could have been monitoring for and prevented.
“The storage of sensitive IT system logins should not have been in that website in the first place. It appears in Uber’s case they found out about it when the hackers came asking for money to delete the stolen data – $100,000 (£75,000).”
Adding that there is little honour among thieves, he says, “Whether paying the ransom had the effect of deleting the data as expected, only time will tell. Security firms often advise not to pay ransoms, as organisations can make themselves a more attractive target should their willingness to pay emerge.”
The lesson to be learnt from Uber’s hack is that no matter how technologically immersed your business could be, organisations need to monitor for digital risk. They must have systems in place to understand what kind of digital crumbs they are leaving behind, how to recognise an attack and take actions immediately. And if a breach does occur, covering it up does not help anyone. It is only going to delay the inevitable.
“Firms need to have the ability to monitor both their own use of digital technologies, and their digital footprint even and especially across third party sites like GitHub and others. Knowing your digital risk exposure is the only way you can monitor your digital risk itself, and be on top of incidents like this quickly and efficiently,” Chappell adds.