Security experts respond to Uber’s cover-up of the hack that leaked details of 57 million people.
When Uber was hacked last year – losing 57 million drivers’ and customers’ details to cyber criminals – it decided not to tell anybody.
Instead it chose to conceal the data breach from everyone, even paying the hackers US$100,000 to keep quiet and, Uber hoped, delete the data as promised.
When news of the breach came to light yesterday, however, the cover-up backfired, creating a PR disaster for the ride sharing company.
Uber suffered the breach in October 2016 when hackers gained access to proprietary information stored on GitHub, which was then used to break into its Amazon Web Services account. Data belonging to 50 million customers was stolen as a result, including email addresses, phone numbers, and names.
An additional 7 million drivers also had their personal information accessed, including 600,000 US driver's licences, Bloomberg reported.
Former CEO Travis Kalanick was alerted to the breach the following month, reports claimed, but Uber decided to hide the breach from authorities and buy the hackers' silence.
The hack, and subsequent cover up, took place during Kalanick's tenure as CEO. His successor, Dara Khosrowshahi, apologised for the cover up, promising Uber will learn from its “mistakes”.
However, the episode should be an example to every business of how not to handle a data breach. As industry analyst Graham Cluley notes, “cock-ups are bad, but cover-ups can kill you”.
“You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them,” adds Cluley, in a blog post.
Governments around the globe have launched investigations into the Uber breach, according to iTnews. The Office of the Australian Privacy Commissioner said it was aware of the issue and had “commenced inquiries” with Uber.
A simple, preventable hack
Many industry experts claim they're amazed as to how such a relatively simple hack could have affected a company as large as Uber.
“This is yet another case of user error trumping the best security measures readily available today. For an organisation as large as Uber, this is inexplicable,” says Zohar Alon, CEO of cloud security firm Dome9.
“There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organisation that is developing code, can and should implement whenever a software engineer checks in code to GitHub.”
However, Equifax lost 145 million customers' details simply because it failed to patch a publicised flaw over summer (choosing to not disclose the breach for months afterwards). And plenty of companies have fallen foul of AWS's then-lack of default encryption for its S3 storage cloud.
The dangers of covering up
The lengths to which Uber went to keep the hack hidden is perhaps the most damaging revelation for Uber, particularly as Yahoo was facing criticism at the time for taking so long to disclose its own data breaches.
“Organisations like Uber have a social responsibility not only to do their best to protect the data they control, but to be transparent with their users about the risks to their identity,” says Jeremiah Grossman, chief of security strategy at SentinelOne. “How an organisation responds to a breach is what really separates the good from the bad.”
Rik Ferguson, vice president of security research at Trend Micro, argues that Uber's previous management “failed in their responsibility to their drivers, to regulators, to justice, and above all, to their customers”.
While the initial shock of the revelation begins to set in, Uber will be cautiously awaiting the inevitable legal tremors that are likely to come sooner rather than later. The company already faces an investigation by the New York Attorney General over its handling of the breach, and according to Ken Spinner, VP of engineering at Varonis, other state authorities are going to be “salivating at the prospect of suing Uber”.
“While there's no overarching federal regulations in place in the US, there's a patchwork of state regulations that dictate when disclosures must be made - often it's when a set number of users have been affected,” said Spinner. “No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year.
“This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”
Have your details been leaked?
In the wake of the revelation, Uber has set up pages for drivers and riders who may have been affected by the hack. These emphasise that the company has seen no evidence for fraud. It mentions that Uber will offer drivers free credit monitoring and identity theft protection, but doesn’t extend this to users of the service.
“Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” the page explains.
Uber finally admits to leak of 57 million users' details
Yesterday, we reported that Uber had allegedly tried to cover up a massive data breach which affected 57 million users and drivers by paying hackers to keep quiet, the company has admitted.
This involved making payments of US$100,000 to the hackers, according to Bloomberg, which broke the news.
The breach is said to have occurred in October 2016, and leaked names, email addresses and phone numbers of more 50 million users globally. Around 7 million drivers were also affected, with hackers accessing around 600,000 US driver’s license numbers.
Reports claim Uber’s former chief executive Travis Kalanick has known about the breach for over a year. Kalanick was forced out of the company in June, after months of controversies relating to sexism and poor working practices. He was replaced in August by former Expedia boss, Dara Khosrowshahi.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Khosrowshahi said in a statement.
“None of this should have happened, and I will not make excuses for it,” he added. “While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
According to Bloomberg, two hackers managed to access a private GitHub site for Uber software engineers. They were able to grab login credentials from there, which allowed them to access an Amazon Web Services account for Uber. There they found an archive of driver and user information, and blackmailed the company for money.
In the wake of the revelation, Uber fired its chief security officer, Joe Sullivan.
It’s yet another PR disaster for a company struggling to reform its image. Bruised and damaged, but intact, from investigations into its anti-competitive practices, losing its London operating licence, and even a complete overhaul of its business culture following allegations of systemic sexism, Uber now faces one more crisis before the end of the year.