Security industry responds to massive Uber data breach cover-up


That Uber has become the latest big target to fall victim to data compromise is not overly surprising. How the company decided to deal with the breach, however, was jaw-droppingly bad. Is cover-up ever a good headline to be reading?

Here’s the skinny: in 2016 the app-based taxi supremo was breached by threat actors who managed to access the personal data of some 57 million Uber customers and drivers alike. The latter including some 600,000 whose names and driving license details were exposed. The breach is thought to have been facilitated by the discovery of Uber log-in credentials for Amazon Web Services (AWS) from a private area of the Github developer code depositary. So far, so routinely poor; but things then got worse, a lot worse. According to the Bloomberg reporters that uncovered the breach details, Uber then took the decision to pay off the attackers with $100,000 as part of a deal to delete any stolen data and keep silent about the breach. The CSO at the time, Joe Sullivan, has since parted ways with Uber. Quite why the company decided not to notify customers whose data was potentially compromised by this breach is, frankly, beyond me. Me, and much of the security industry it would seem; most of the coverage has been focussed on the hush-money aspect rather than the breach itself.

Here’s our round-up of what the industry is saying:

Raj Samani – Chief Scientist and Fellow at McAfee

“As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect. Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this. In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”

This news makes me incredibly angry…

Rik Ferguson – Vice President Security Research at Trend Micro

“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to their customers, and that’s a pretty long list. However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never “buy back the negatives” once data has been stolen. It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s “corporate systems and infrastructure” from the “third-party cloud-based service” that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such.”

Ilia Kolochenko – CEO of High-Tech Bridge

“I think the most important thing now is to ascertain that the alleged scope of the breach is not mistakenly underestimated or deliberately concealed. Uber is a very attractive target for professional hackers, from Black Hat mercenaries to nation-state groups. The uncovered incident may be just a tip of the iceberg. Taking into consideration currently available but not yet confirmed facts, the root cause of the incident is Uber’s banal negligence. Nonetheless, it’s too early to blame anyone or to make any ultimate conclusions unless remaining technical details will be properly investigated and publicly disclosed. Speaking about the legal side of the breach, it will likely bestow on Uber a wide spectrum of lawsuits in different jurisdictions and quite painful sanctions.”

the root cause of the incident is Uber’s banal negligence

Rob Norris – VP Head of Enterprise & Cyber Security EMEA at Fujitsu

“Yet another company breach has made the headlines, and looks set to become this month’s – if not this year’s – biggest hacking story. This attack on Uber, the way the company handled it, and the customer reactions we’re beginning to witness offer crucial lessons for the way organisations approach cyber security – and the potential consequences when they get it wrong.”

Stuart Clarke – Head of Security and Intelligence Solutions at Nuix

“This massive data breach, goes to show the importance a unified regulation such as GDPR could have in making third parties accountable for security concerns. Protecting the personal data of customers must be paramount for all organisations and GDPR ensures that data is accounted for, protected and access to it is managed. However, for real change to take place, the way organisations view personal data must be radically different in the future. The fact that Uber has hidden this breach for such a long period of time really suggests that they are not treating customer data with the diligence that it warrants.”

Richard Parris – CEO and Chairman at Intercede

“Uber’s cover up of the data breached that led to personal details of 57 million individuals being stolen will likely have far more implications on consumer trust than the hack itself. Every time we as consumers use services like Uber, we knowingly share our personal information and we to trust that those details are kept securely, away from the prying hands of cyber miscreants. If consumers can’t trust companies to keep their data safe, they ought to stop using their services.”

James Maude – Senior Security Engineer at Avecto

“A serious error on Uber’s part was storing the keys to its data store on a GitHub code repository, which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily. There is a growing issue around organisations outsourcing data storage to the cloud with limited or no security – yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time.”

Chester Wisniewski – Principal Research Scientist at Sophos

“Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”

Delay in disclosing erodes trust

Jason Hart – CTO, Data Protection at Gemalto

“Two things should have been done better here: faster disclosure and better use of encryption for the entire data lifecycle. Delay in disclosing erodes trust, and it belies the fact that breaches like this, that access your data via cloud services, are inevitable. The goal should not be to hide these breaches or even prevent them—it should be to make them secure breaches by taking a more intelligent, data-centric approach to security. This means knowing exactly where your valuable data resides, who has access to it, how it is transferred, and when and where it is encrypted and decrypted. Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1 percent were encrypted. That’s all that had to be done here and it’s what other organizations need to do in the future to avoid this.”

Sam Curry – Chief Security Officer for Cybereason

“Who watches the watchers? The truly scary thing here is that Uber paid a bribe, according to news reports, essentially a ransom to make this breach go away and they acted as if they were above the law. Those people responsible for the integrity and confidentiality of the data, in-fact covered it up. To all outward appearances, the new CEO and management team are doing the right thing and making the difficult choices. However, difficult consequences still have to follow. And above all, this is a wake up call to the industry that CSOs have a responsibility not just to the companies that they work for, but the people whose data is affected. In other words, Joe Sullivan and crew, should have acted in the interest of the public good and public safety and made these tough choices far, far sooner. It’s time not to let another Equifax, Deloitte, etc happen and to leave no grey area to security officers as to what the right thing to do is.”

David Kennerley – Director of Threat Research at Webroot

“Given the current climate around data security and breaches it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year. The fact is there is absolutely no guarantee the hackers didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line. A security breach of this size will potentially damage any business’ reputation, but how a company behaves following a breach is vital. Potential victims deserve to be informed as soon as possible, so they can better protect themselves going forward – from changing passwords and being aware that they are now prime phishing targets. Being open and transparent and keeping customers informed is key, you can’t simply sweep these things under the carpet.”

Dr. Jamie Graves – CEO & Founder at ZoneFox

“The Uber hack is precisely why GDPR is coming into force. Time and time again we’ve seen significant data breaches, which will have serious implications for those whose data was involved, dismissed or covered up by major organisations. The incoming legislation that requires organisations to investigate and inform victims of a breach within 72 hours will at least give those affected a chance to get ahead of the criminal gangs that have their sensitive data. However, the most disturbing aspect of the Uber case is that they paid money to those responsible to destroy the data. As we have seen in numerous other cases, these gangs are the last group of people to be trusted. For example, ransomware distribution groups often will not decrypt the data they have locked away after receiving payment. So how do we know all of the data has been deleted? And how do we know that some accounts weren’t ‘cherry-picked’ for belonging to high-net users and then sold to the highest bidder? Uber CEO Dara Khosrowshahi wants to ‘change the way they do business’ – a thorough and immediate independent investigation into this attack would be a good place to start.”

The Uber hack is precisely why GDPR is coming into force

Chris Boyd – Lead Malware Intelligence Analyst at Malwarebytes

“This breach is not only hugely aggravating for those affected, but also raises questions about the value of bug bounty programs. Companies have made large strides in trying to make bounty reporting, in general, a lot less like the ‘Wild West’, and something like this undermines those efforts. Especially when you consider many bounties pay out a lot less than the £75,000 Uber offered to hackers, plus including the chunk of taxes coming out of the bounty. Whilst not communicating a breach cannot be condoned, the upcoming GDPR will hopefully not only lead to better governance and protections, but also serve to reduce the stigma around hacks. So rather than just seeing headline-grabbing fines on a practical level we will also see big lessons learned by organisations. Ultimately, if businesses are afraid to come forward and admit a breach, how will we – as a society – ever learn from and beat the cyber miscreants?”

Kevin Bocek – VP of Security Strategy and Risk Intelligence at Venafi

“The incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the control of security teams. Unfortunately, we frequently see SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls. Weak SSH protection is like a fleet of Ubers that have gone out of control; no one can stop them.”

Dean Armstrong QC – Cyber Law Barrister at Setfords Solicitors

“Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organisations. In the UK and EU there has been a huge shift in thinking towards this issue and in May 2018 new regulations come into force that would see such behaviour heavily punished. The General Data Protection Rules (GDPR) coming into play in the UK and Europe next year are designed specifically to deal with such occurrences – under these Uber would have had to notify the regulator within 72 hours of being aware of the hack (not the year or so in this case), and assuming the regulator found them in breach of the regulations they would have to pay a fine of 4% of global annual turnover, or 20 million Euros, whichever is higher. As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions. The greater cost to Uber, however, would, and will be in terms of reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator. The UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event. While the hack occurred in North America, the regulations will apply to any EU citizen’s data. Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation.”

GDPR would potentially see Uber punished

James Romer – Chief Security Architect EMEA at SecureAuth

“Uber’s breach highlights the fact that passwords and simple two-factor authentication are no longer enough to stop attackers. 81 percent of data breaches come from attackers using stolen credentials and Uber is now responsible for losing another 57 million usernames and passwords. This breach will have knock on effects in the cyber-security industry as stolen credentials often lie dormant on the dark web or in the possession of cybercriminals only to resurface in the future. Uber users should reset their account passwords for the app and all other accounts where it may have been re-used. Organizations (especially global businesses like Uber!) need to implement smart, adaptive methods of authentication with contextual risk analysis built in throughout, negating the damage of stolen or lost credentials.”

Dan Panesar – VP EMEA at Certes Networks

“Uber may be the latest in a long line of big names to hit the headlines in the wake of serious data breaches, however, it is the handling of the attack that is the biggest cause for concern. The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn’t a place or excuse for it. Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage – a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company’s attempts to hid the facts from them and points to the need for change in the industry.”

Andrew Samsonoff: CEO of Invinsec

“Compare the Uber breach with the Talk Talk breach in 2015. Talk Talk lost far less records and acted as fast as they could to inform customers. This is a bad breach and companies observing this should take note: treat customer data with care and respect, know when you have lost it, and when you do – take action immediately. Don’t hide it.”

Aaron Higbee: CTO at PhishMe

“In an effort to safeguard its reputation, Uber has put customers and drivers in the dark, ultimately compromising their data security. By taking the opposite approach, arming its customers and drivers with the knowledge that their details may be at risk and advising on what to look out for, Uber could have instead mitigated the damage and created a stronger human line of defence. What’s more, transparency is the only way others too can see the risk to data security, and this exposure will help us to engage in more security-conscious practices across the board.”

The number of records compromised in the Uber hack far exceeds the entire population of Canada

Mark Sangster: Industry Security Strategist at eSentire

“It’s fascinating that even in light of the mega breaches of 2016 and 2017, companies consider non or delayed breach disclosure as an option. The number of records compromised in the Uber hack far exceeds the entire population of Canada. We’re not talking small beans, here. Unfortunately for Uber, I expect that its breach will set new precedence when it comes to regulatory compliance and disclosure mandates. Companies today have no excuse when it comes to cybersecurity controls. Tools and guidelines exist to help organizations and firms prepare and navigate breach remediation and disclosure. In Uber’s case, you have a company already enduring a PR firestorm. Mix in a significant one-year old, non-disclosed breach and that storm suddenly becomes a hurricane.”

Nathanial Wallis: Security Specialist at Axial Systems

“Uber’s assurances that stolen data has now been deleted should be taken with a pinch of salt. All companies have a duty of care to ensure the data they hold on both customers and staff are secured and protected from loss, Uber clearly failed their customers in this regard.”

Tim Mackey: Cybersecurity Expert at Black Duck Software

“The larger issues of Uber’s actions and failure to disclose a breach that occurred in 2016 aside, the breach apparently occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository GitHub. Those credentials gave the hackers access to the developers’ accounts on Uber’s network, and with it, access to information hosted on Amazon’s servers, including the rider and driver data they stole. This highlights the level of responsibility all open source contributors have in reviewing code prior to pushing it to public repositories such as GitHub. Configuration information files for internal systems, whether they be used for QA, UAT, Staging or Production, should be explicitly excluded from inclusion in source code repositories. Most source code management systems have a provision for this exclusionary functionality, but it’s the responsibility of contributors to ensure the exclusion rules stay current. Additionally, standard code review practices normally require code contributions to be peer reviewed prior to merge – a practice which should identify situations where sensitive information is included in any source files. If the reports of how the breach occurred are accurate, it should serve as a warning to everyone participating in open source activities that mistakes can happen and periodic review of software hygiene procedures is a best practice.”

Andrew Bushby: UK Director at Fidelis Cybersecurity

“It’s unacceptable for companies such as Uber to take more than a year to report a breach, especially when it concerns the personal data of 57 million customers and drivers. Uber has had a very challenging year so far, and this will undoubtedly make it worse. Hopefully they, and other organisations will learn a very real lesson from this. Organisations cannot just run away from cyber blackmail, whether its ransomware, encryption or a disclosure threat. Paying the demand and pretending it didn’t happen is not acceptable and they are now taking the word of the blackmailer that they have deleted the data and not sold it. This will embolden the attackers and will reinforce it as a legitimate money-making tactic.”