Uber: How Not To Handle A Breach

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Wed, 22 Nov 2017 17:18:01 +0000

Uber is a company that is embattled on all fronts. From a very public power struggle to labour issues to regulatory challenges to a reportedly toxic culture, Uber sits in a precarious position.

Yesterday, a new strike against the company came to light. In October 2016, Uber was hacked resulting in the exposure of 57 million customer and driver records (name, email, phone number).

An additional 600,000 drivers had their license information exposed in the hack.

The sad reality is that this happens. No defence is perfect. Hackers can and will get through even the best security systems eventually. Security programs must accept that fact and respond to incidents quickly to reduce their impact and plan to recover quickly post-breach.

Covering It Up

In this case, Uber took the worst path possible. They chose not to disclose the breach and paid the cybercriminals responsible $100,000. They then tried to make that payment appear as if it was a bug bounty payment, further muddying the waters.

Let me be clear. Paying cybercriminals is unacceptable. Failing to disclose a breach that impacts millions is intolerable.

There is no way to prove that the cybercriminals deleted the data after receiving payment. That’s not how the digital world works. The statement that Uber “…believes the information was never used” has no basis in fact. There is no way that they can make that statement with any level of confidence. It’s not possible to track all avenues where stolen personal information can be sold or used. Is Uber monitoring all of the underground forums, back alley deals, chat rooms? Checking every website to ensure that no one is impersonating any of the affected users?

Furthermore, paying cybercriminals to keep the breach quiet only encourages these cybercriminals—and others—to commit more crimes moving forward. Digital extortion is an area of cybercrime that we expect to grow significantly in 2018 and we are actively researching this area with our partners in law enforcement.

Cybercrime is a business, and the more money criminals make, the more they will invest in tools and targets for future crimes.

Failure To Disclose

This year has been a series of massive breaches. Yahoo, Verizon, Edmodo, Equifax, and others have all suffered breaches impacting millions of users.

When personal information is exposed, you have to assume the worst case scenario and work forward from the position that the user data will be sold in the digital underground and used for malicious purposes.

Data breach notification laws around the world—including GDPR—support this position and it’s why they require notification in situations where user’s personal information was exposed.

The process of public data breach notification is a significant event for any company. It’s perceived as a black eye and can have a real impact on public perception and the bottom line.

For organizations that are earnest in their efforts to protect users’ data and for those that handle breaches transparently, we need to shift away from a culture of blame and move to one where we support an open and honest investigation into the issues that lead to the breach so that everyone can learn and do better.

This is not the case with Uber.

By failing to disclose the breach, Uber has opened itself up to potential legal consequences and directly put users at risk. If you are unaware that your information is at risk, you may not be taking the appropriate steps to protect yourself.

Uber’s failure to disclose has put users at additional risk, and that’s unacceptable.

Worrying Statement

Of the many things that jumped out at me from this story, one statement made by Uber is especially worrisome. Uber states, “…two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”

Untrue.

As an organization, when you leverage third-party services as part of your IT solution they are now part of your corporate systems. Your data is your data regardless of where you store it.

All cloud services operate under the shared responsibility model and under all categories of the model you are responsible for your data.

Bloomberg describes the hack as:

  Attackers gaining access to a private GitHub code site used by Uber

  Attackers discovering AWS credentials in that GitHub site

  Attackers using those AWS credentials to access the personally identifiable information

Like most hacks, this was unsophisticated and points to a process failure on the victim’s side. In no way does this breach speak to the security of GitHub or AWS.

If you park your car at the mall, leave the door open with the keys in the ignition and are surprised when a thief steals it, that’s not the mall’s fault. That’s on you.

Moving Forward

Uber’s new leadership team has taken the first steps in trying to make this right despite the significant backlash they will face in the public eye. Good for them, this could not have been an easy decision. But it doesn’t erase the history of questionable decisions from the company. Trust is not easily earned and near impossible to restore once destroyed.

This case should serve as an example that the best policy in the face of a breach is transparency…regardless of how difficult it may be.

The company has fired its CISO, is working to notify affected individuals, and is working with outside experts to improve their security. What they’ve failed to state is whether they’ve involved law enforcement (Uber did admit to identifying the cybercriminals) and whether or not they will cooperate with regulations moving forward.

Anytime users share their information with you, you must do your best to keep that information safe. Sometimes, despite your best efforts, that information will be exposed.

To keep that trust, you need to be transparent and help users protect themselves. Yes, you’re a victim of a cybercrime but so are your users. You can’t forget that…ever.

http://feeds.trendmicro.com/TrendMicroSimplySecurity