For more than a year, even as it negotiated with regulators in the US over privacy infractions, Uber hid a massive hack that resulted in cyber-thieves pilfering the personal information of 57 million customers and drivers and prompted the company to fire two executives, including its chief security officer, Joe Sullivan.
“We know that the two attackers accessed a GitHub coding site used by Uber software engineers, found a set of login credentials, and used those credentials to access and infrastructure account that handled computing tasks for the company,” said Corey Williams, senior director of products and marketing at Centrify. “Within that infrastructure, the attackers discovered the archive of rider and driver information.”
The information stolen in October 2016 included names, phone numbers and email addresses of the company's customers, according to a report by Bloomberg.
Around seven million drivers had their data compromised - approximately 600,000 driver's license numbers were compromised.
While Uber told Bloomberg it did not believe the purloined data was used in any way, the company did admit to paying the hackers £75,000 to get rid of it.
“Obviously, US$ 100,000 is probably considered “cheap” these days,” said Chris Roberts, chief security architect at Acalvio, who expressed dismay that “one of our own” orchestrated a cover-up. “The company keeps it reputation (for whatever it's worth in the case of Uber), the company can keep doing what it does (using risky applications) and the hackers get a decent payday and can move onto the next target and see if they can do the same to them as they did to Uber.”
“None of this should have happened, and I will not make excuses for it,” Uber's new CEO Dara Khosrowshahi was cited in the the report as saying.
Khosrowshahi said the company is “changing the way we do business.”
Centrify's Williams said “if Uber had followed standard breach protocol by notifying authorities and impacted users, remediated the problem and laid out steps that they were taking to avoid future breaches, the impact would have been much less.” Uber, he said, “was under a legal obligation to notify regulators and to the impacted users and drivers. Instead they took extreme measures to hide the hack, paying US$ 100,000 to the hackers to remain quiet and actively took steps to keep the truth under wraps.”
In fact, the company “was already in hot water for a breach in 2014 for a compromise of Uber's database running on AWS. Uber agreed to 20 years of privacy audits. It misrepresented the extent of the breach and the extent of their security controls in place to protect information,” said Chris Morales, head of security analytics at Vectra.
“This was clearly not the case as the systems compromised in 2016 are still in AWS hosting much of the same information, only on a much bigger scale,” Morales said. “This breach happened at the same time Uber was already under investigation by U.S regulators for the 2014 breach.”
He found the coverup “more concerning” than the attack. “There are many breach notification laws, especially in California, that would have required immediate notification to consumers,” he said, calling for a broader conversation on national breach and notification legislation. “We are the ones put at risk here, not Uber.”
The Uber hack strikes an all too familiar chord. “i'm not sure how many times we will need to see this story play out before companies get it right,” said Curtis Sparrer, principal of Bospar, whose recent survey of 1005 adults in the US found that only 6.2 percent admire Uber. “When companies make a mistake they need to reveal it quickly and simply to their customers and the public. It's always the coverup that's worse than the crime.”
Indeed, “who watches the watchers? The truly scary thing here is that Uber paid a bribe, according to news reports, essentially a ransom to make this breach go away and they acted as if they were above the law,” said Sam Curry, CSO at Cybereason. “Those people responsible for the integrity and confidentiality of the data, in-fact covered it up.”
Curry commended Khosrowshahi's efforts. “To all outward appearances, the new CEO and management team are doing the right thing and making the difficult choices,” he said. “However, difficult consequences still have to follow.”
Those consequences are already beginning to roll in. New York Attorney General Eric Schneideman has opened a probe into the hack.
The hack and subsequent coverup are “a wake up call to the industry that CSO's have a responsibility not just to the companies that they work for, but the people who's data is affected,” said Curry. “In other words, Joe Sullivan and crew, should have acted in the interest of the public good and public safety and made these tough choices far, far sooner. It's time not to let another Equifax, Deloitte, etc happen and to leave no grey area to security officers as to what the right thing to do is."