igor - Fotolia
Uber has admitted it covered up a data breach in 2016 that affected 57 million customers and drivers.
This is the second time the company is known to have failed to report a significant breach, having been fined $20,000 in January 2017 for failing to disclose a considerably less serious breach in 2014, as reported by the BBC.
The National Cyber Security Centre (NCSC) is investigating if this breach has affected Uber customers in the UK.
“Companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim,” an NCSC spokesperson said.
“We are working closely with other agencies including the [National Crime Agency] NCA and [Information Commissioner’s Office] ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures,” the spokesperson said, but added that the NCSC has seen no evidence that financial details have been compromised.
Uber has removed its chief security officer Joe Sullivan and one of his deputies for their roles in covering up the breach, and a $100,000 payment to the attackers to delete data rather than go public, according to Bloomberg, which was first to report the breach.
“Given the current climate around data security and breaches, it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year,” said David Kennerley, director of threat research at Webroot. “The fact is there is absolutely no guarantee the hackers didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line.”
Uber’s credentials compromised
The attackers were reportedly able to access a private area of the web-based GitHub version control repository for developers, where they found Uber’s log-in credentials to Amazon Web Services (AWS), where the company stored the breached data.
It has also emerged that former Uber chief executive Travis Kalanick knew about the breach, which exposed the names, email addresses and mobile phone numbers of 50 million customers and personal details of seven million drivers, including the licence details of 600,000 drivers.
According to a company statement, Uber is offering free credit monitoring protection for its drivers, but not affected customers.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” said Uber’s recently-appointed chief executive Dara Khosrowshahi.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Uber is currently negotiating a deal with a consortium led by SoftBank and Dragoneer Investment Group that plans to inject $1bn to $1.25bn into Uber, according to Reuters, but industry commentators said the reportedly tough negotiations could get tougher in the light of news of the breach.
Businesses need to recognise that data breaches are a threat they face and they should be prepared to deal with them effectively to maintain customer trust, say security advisers.
“The reality is that companies today exist in a state of continuous compromise. Facing thousands of attacks daily, or even tens of thousands, it’s a matter of when – not if – a breach will occur,” said Gary Weiss, senior vice-president and general manager of the Security, Discovery and Analytics Business Unit at information management software firm OpenText.
“Research we conducted this year showed that in just the first half of 2017, 65% of organisations fell victim to malware-related breaches and 55% experienced phishing-initiated breaches. But rather than fear the breach, organisations need to prepare with a defined, well-practiced response strategy that involves security teams, legal, executive leadership, and communications/PR support,” he said.
Loss of consumer trust
According to Weiss, any attempt to cover up or hide a breach serves only to compound the loss of consumer trust and potential legal consequences.
“Uber’s leadership has made it clear that they are changing the way they do business and addressing this issue head-on,” he said.
Ryan Wilk, vice-president of customer success at Mastercard’s NuData Security, said it is “refreshing” to see a company taking such quick and decisive action to earn back consumer trust.
“Uber CEO Dara Khosrowshahi’s statement that there is no excuse for what happened and Uber will be putting integrity and trust at the core of every business decision is a welcome message,” he said.
Dan Panesar, vice-president for Certes Networks in Europe, said transparency is crucial when it comes to the loss of personal data.
“Not only will 2018 see this mandated by GDPR [EU’s General Data Protection Regulation], but it is vital to ensure that even in the wake of a breach customers do not lose total faith in a brand’s ability to protect their data,” he said.
Read more about data breaches
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- Stolen and lost devices are the biggest causes of data leaks in the financial sector, which experienced twice as many leaks in 2015 than the year before, a report reveals.
The breaches of the past two years, said Panesar, could not have made it plainer that the current mind-set is not working.
“Organisations need to think beyond the ‘protect’, ‘detect’, ‘react’ approach which sees hackers spend over 100 days on average siphoning sensitive data from across compromised networks,” he said. “Instead, the model needs to include a step that limits the damage – containment.”
If Uber wants to continue its rise across Europe, it has to reverse its attitude to hacks, come clean and work tirelessly to make its protections and reporting systems watertight, said Dean Armstrong QC, cyber law barrister at Setfords Solicitors.
“It has much work ahead of it, but perhaps this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision,” he said.
According to security firm Venafi, the breach at Uber is an example of how unprotected machine identities can lead to data breaches.
“Cloud services, such as AWS, are secured with SSH [secure shell] keys that are often outside the control of security teams,” said Kevin Bocek, vice-president of security strategy and risk intelligence at Venafi.
“Unfortunately, we frequently see SSH keys that provide access to AWS left unprotected in GitHub,” he said. “Without robust SSH intelligence and strong security controls, malicious actors can abuse these keys while flying under the radar of most other security controls.”