In a highly publicized data breach incident, rideshare application Uber announced that the personal information of 57 million customers and drivers were potentially compromised in October 2016, which was complicated by their failure to notify legal authorities and regulators.
Uber CEO Dara Khosrowshahi acknowledged the existence of the hack in a statement published on their website, stating that in 2016, two outsiders gained access to user data that was stored on a third-party cloud-based service used by the company. The trove of stolen information included the names and driver’s license numbers of 600,000 Uber drivers, but Khosrowshahi clarified that the company’s corporate infrastructure and systems were not affected.
The hackers were able to gain access to the information after developers working for the company uploaded code to the repository website Github. Unfortunately, this code also contained credentials that the hackers used to log into special accounts on Uber’s network containing the sensitive data, which was hosted on Amazon Web Service (AWS) servers.
According to reports, the incident was further complicated when Uber paid the hackers $100,000 to delete the data and prevent the breach from being disclosed publicly. According to insiders, the company also made the hackers sign nondisclosure agreements as part of the deal, making it appear as part of a bug bounty program that involves paying off “bug hunters” for hacking into their system to check for security flaws. In their statement, Uber also mentioned that two individuals who were part of the initial response back in 2016 were fired from the company.
Immediately after the breach, the company took steps to secure the data and prevent further unauthorized access by the individuals. Uber also implemented security measures on their cloud-based storage accounts intended to restrict access and strengthen controls. The drivers whose credentials were compromised were notified and provided with free credit monitoring and identity theft protection.
Insights from the Uber breach
Not only is this latest incident one in a long line of recent data breaches, but it is also not the first one to involve the highly popular ridesharing company—back in April 2016, a series of “phantom trips” occurred after stolen Uber accounts were peddled in the underground. Just a few days ago, a similar incident involved drone manufacturer DJI, which was also the subject of a data breach involving Github repositories.
For organizations, there are many lessons to be learned from this incident, starting with the proper configuration of public cloud storage, as well as increased emphasis on its security.
In Uber’s case, the error was compounded by the exposure of sensitive credentials, which could have easily been avoided by putting more care into what goes into these repositories. In addition, adherence to the shared responsibility model for cloud services can create a highly secure environment that can make it difficult for attackers to access sensitive information.
In addition, paying off threat actors does not make the problem “go away,” as it does not guarantee that the data will be deleted or that public disclosure can be avoided. In fact, it will likely complicate things even more, as payment and non-disclosure can be used to fund future attacks. It can also be construed as a violation of regulations depending on the circumstance. It can also hurt a company’s reputation, as well as damage the trust between the company and its customers and partners. It is reasonable to assume that, in most data breach cases, the personal information acquired by the attackers will be sold in the underground.
Customers should always be aware of the potential compromises applications could have on their privacy. Many users download apps without being aware that these could actually be gathering personal information that could be exposed in the event of a data breach. For users whose privacy is non-negotiable, looking for “opt-out” clauses or even choosing alternative apps would be better choices.
While Uber initially made mistakes with how they handled the incident, the company is now taking the right steps to address the breach by placing greater emphasis on securing their cloud storage and repositories. While the incident cannot be reversed, creating comprehensive contingency measures and mobility plans can help mitigate the impact of data breaches.
What can organizations do to minimize or even prevent the impact of the breach?
• Double check the data that goes into public cloud storage and ensure that these services are properly configured. • Avoid paying attackers, as these do not really solve the issue and will often even exacerbate it. Instead, organizations should work with legal authorities and security experts to determine the next steps to be taken. • Create a contingency plan that addresses potential security incidents, while ensuring that customers and partners are informed of the details of the incident and the steps being taken to mitigate its impact. User notification is a standard of data breach notification laws worldwide, such as the EU General Data Protection Regulation (GDPR).
Organizations that rely heavily on cloud storage can look into the use of multilayered solutions such as Trend Micro™ Hybrid Cloud Security, which delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).