Uber yesterday admitted that it covered up a massive data breach of 57 million customers’ and 600,000 drivers’ information in late 2016 by paying the hackers a $100,000 ransom.
In a statement, Uber CEO Dara Khosrowshahi said two hackers “inappropriately accessed user data stored on a third-party cloud-based service that we use.”
Specifically, Bloomberg reports, the hackers accessed a private GitHub site used by Uber software engineers, then used passwords they found there to access an Amazon Web Services account belonging to the company, where they found the sensitive data.
The attackers accessed a total of 600,000 U.S. drivers’ names and driver’s license numbers, and 57 million global users’ names, email addresses and mobile phone numbers.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage account.”
According to Bloomberg, Uber also paid the hackers a $100,000 ransom not to release the data.
More recently, Khosrowshahi said, the two people who led the response to the incident (the CISO and an associate) have been fired, Uber is notifying regulatory authorities, and the company is providing affected drivers with free access to credit monitoring services.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
There are a few things other companies can learn from Uber’s mistakes as well.
1. Review the security of your cloud deployments.
“The most important lesson for companies to take from this is quite simple: if you are using cloud storage or cloud processing for anything inside your enterprise, it is absolutely essential that you take a moment to pause and review all the relevant security controls surrounding the use of these tools,” Absolute global security strategist Richard Henderson told eSecurity Planet by email.
“Attackers are targeting these assets more and more, and if you have made any gaffes in protecting your data, they will find a way to access it,” Henderson added.
Chris Morales, head of security analytics at Vectra, noted that the challenge lies in the fact that traditional security tools and methods for internal data centers don’t have the same visibility in cloud environments. “Companies such as Uber who highly leverage cloud infrastructure for critical data need to build a security strategy that is cloud first with the right people, processes and tools that give them the necessary visibility into cloud attacks,” he said.
2. Regarding disclosure, honesty and forthrightness are key.
“Breach disclosure is critical to get right, because it can have long lasting effects on the organization and its customers,” SecureAuth chief security architect Stephen Cox said by email. “To the organization, every breached customer has a financial impact, and long term viability comes into question because of damage to the brand.”
AsTech chief security strategist Nathan Wenzler said the decisions made by Uber’s CISO and his associate in response to the incident are ultimately the most shocking part of the breach.
“Quite simply, legitimate security professionals know better than this, and the community at large is built upon integrity in all matters,” Wenzler said. “When you act as the front line of defense for an organization, it is imperative that your security team operates in the most honest and forthright manner possible.”
2. Your security and your brand are inextricably linked.
There’s no question that Uber bungled its response to a major incident, and its brand will suffer as a result.
Last fall, an Alertsec survey of 1,200 U.S. residents found that 97 percent of respondents said data breaches unsettle them and result in negative brand perception — 29 percent of respondents said it would take them several months to begin trusting a company again following a data breach.
LogRhythm CISO James Carder said the specifics of the breach ultimately matter less than how you handle it. “You can still come out of a breach in a pretty good spot if you’ve been diligent about your IT and security controls — including the implementation of monitoring, detection and response capabilities that can help minimize the impact of the breach and stamp down any thoughts of negligence,” he said.