Uber confirmed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged. It had paid the hackers responsible $100,000 to delete the data and keep the breach quiet. The breached exposed the names, email addresses and phone numbers of users around the world, including the driver’s license numbers of about 7 million drivers, 600,000 of which were in the United States. The information was accessed through a third-party cloud-based service Uber uses. The company said no Social Security numbers, credit card numbers, bank account numbers, birth dates or trip location data was taken.
Instead of explaining why the breach wasn’t disclosed earlier, Uber CEO, Dara Khosrowshahi instead outlined measures that had been taken by the company as a result of the breach. These included hiring a National Security Agency alumnus to improve the company’s security in the future, terminating the employment of two individuals who led the response to the hacking, providing assistance to the drivers whose personal information was compromised and notifying regulatory authorities.
“None of this should have happened, and I will not make excuses for it,”Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Commenting on the breach, Principal Research Scientist, Chester Wisniewski, Sophos said – “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”
“Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. Not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
cyber security advisor
Vincent Weafer, Vice President for McAfee Labs believes the hack was successful because credentials that were used to access Github data or code were similar to those used to access Uber’s own data repository containing the personal information. “It shows how attackers are trying to use credentials as a means of gaining entry inside organizations. Once a hacker has the credentials, he can move around inside an organization without detection. This is a good example of why people need to be very careful of how credentials are used and managed. We know attackers have been trying to track down administrator credentials–the keys to the kingdom–that allow them to move around within an organization. Keeping those credentials separate and managing them should be a serious matter.”
Dan Sloshberg, Cyber Resilience Expert, Mimecast, commented: “Uber had both the legal and social obligation to inform governments and customers of this attack, and the fact the company chose to pay hackers and hide the massive breach is shocking. Pretending that an attack hasn’t happened, or quietly paying attackers off only emboldens perpetrators further. With the General Data Protection Regulation (GDPR) coming into effect in May 2018, businesses must report breaches within 72 hours or face crippling fines much bigger than what Uber paid to hackers. Businesses need to realise that the impact of breaches can be very serious – with knock-on effects on the organisation itself, employees and customers. To combat threats and ensure they remain compliant ahead of the GDPR, organisations must invest in minimising their risk appropriately with an appropriate cyber resilience strategy. This should also include a plan if something does go wrong.”