Uber has found itself in the midst of another storm after it came to light that top company executives deliberately covered up a massive data breach last year that compromised personal details of 57 million customers.
Uber failed to disclose the breach to the FTC at a time when it was negotiating with the latter about a previous breach that was covered up as well.
From losing its license to operate in the UK, being fined by the FTC for covering up a data breach, facing multiple investigations for questionable pricing tactics, suffering serial cyber-attacks, facing allegations of bribery, and stealing intellectual property from competitors, Uber has seen it all in its tumultous past. However, the company’s conduct following a massive data breach that took place last year suggests that it may have taken things too far for anyone’s comfort.
What really happened?
Last year, a couple of malicious individuals accessed login credentials for one of Uber’s Amazon Web Services servers from coding site GitHub. Using these credentials, they were able to access a huge database that contained personal details of registered Uber drivers as well as millions of customers, both from the United States as well as from Europe.
As hackers are wont to do, they contacted Uber, informed it about the data they were able to get their hands on, and demanded a ransom to get rid of such data. Like many firms have done in the past, Uber chose the easier option, paid a $100,000 ransom to the hackers, and decided to stay quiet about it.
Who were responsible for handling the breach?
The breach incident took place in October last year under the watch of Travis Kalanick, Uber’s controversial co-founder who stepped down from the post of CEO in June this year following a near-revolt led by the company’s investors. However, he has been allowed to continue as a board member.
In a statement to its customers and the media, Uber said that Kalanick was made aware about the data breach in November last year. Let along informing its drivers and customers, Uber chose not to disclose the incident to the Federal Trade Commission with whom it was negotiating a settlement over the handling of consumer data.
The response to the breach was led by Joe Sullivan, the company’s security chief who has now been fired. Sullivan’s actions following the incident were revealed after Dara Khosrowshahi, the company’s new CEO, commissioned in investigation into his activities by an outside law firm.
Uber has also decided to fire Salle Yoo, it’s chief legal officer, even though it said that she was not made aware about the data breach by those who knew about it.
What exactly did Uber hide?
The data breach compromised names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information of 57 million Uber users around the world, including names, email addresses and mobile phone numbers.
However, the hackers were not able to get their hands around trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth of the company’s drivers or customers, so says the company.
Why reveal it now?
The decision to disclose the breach to the public was taken after Khosrowshahi took over as CEO in October. As per his own admission, Khosrowshahi was hitherto unaware about the breach until he took over and this prompted him to order an immediate investigation.
‘You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions,’ said Khosrowshahi in a blog post.
Aside from coming clean, firing erring executives and hiring new ones in their place, Khosrowshahi also revealed a number of steps the company will take to ensure effective response to such cyber incidents and to improve it’s disclosure norms.
Khosrowshahi has also promised that all Uber employees will learn from their mistakes, change the way they do business, put integrity at the core of every decision, and work hard to win back the trust of customers. However, the bad taste the incident has left in the mouths of drivers and customers may haunt the company forever.
‘There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to their customers, and that’s a pretty long list,’ says Rik Ferguson, Vice President Security Research at Trend Micro.
‘However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never “buy back the negatives” once data has been stolen,’ he adds.
Is Uber still committing mistakes?
What really stood out in Khosrowshahi’s blog post was the apparent lack of understanding about how critical the security of cloud-based services used by the company is. In his statement, he said that malicious actors has accessed user data stored on a third-party cloud-based service and as such, did not breach the company’s corporate systems or infrastructure.
The statement seems funny considering that a data breach that did not ‘breach the company’s corporate systems or infrastructure’ ended up compromising personal details of 57 million users worldwide.
‘He appears to distance Uber’s “corporate systems and infrastructure” from the “third-party cloud-based service” that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business *are* corporate systems and infrastructure and from a security perspective should be treated as such,’ Ferguson adds.
Dan Sloshberg, Cyber Resilience Expert at Mimecast, says that to combat threats and ensure they remain compliant ahead of the GDPR, organisations must invest in minimising their risk with an appropriate cyber resilience strategy, incorporating advanced security, data protection and recovery, and business continuity.’
Unless Uber pays equal attention to the security around third-party cloud servers like AWS as it does to it’s own corporate systems, it is doing nothing but inviting many more cyber incidents in the future.
The GitHub factor
Khosrowshahi should also have addressed the practise of sharing credentials over GitHub which is constantly scrutinised by malicious actors looking to obtain such credentials. While sounding sincere, his letter hasn’t addressed how Uber’s engineers will store or share passwords in the future and it is thus no surprise that security researchers have remained unconvinced.
‘All it took was one developer making a mistake by checking a password into GitHub. Why does that password unlock so many sensitive records? These kinds of slip-ups are frequently surfaced during internal pen tests or third-party security audits,’ says Ken Spinner, VP of Field Engineering at Varonis.
‘This point of failure raises the question: are Uber employees required to use 2FA for key applications like GitHub? Many attacks nowadays originate from compromised credentials; businesses need to ensure that hacking one employee’s account doesn’t unlock such a wide array of sensitive data,’ he adds.
The long arm of GDPR
Dean Armstrong QC, Cyber Law Barrister at Setfords Solicitors, has explained how Uber’s curious non-disclosure practices as well as its response to cyber incidents will land it in serious trouble in the days ahead.
‘The General Data Protection Rules (GDPR) coming into play in the UK and Europe next year are designed specifically to deal with such occurrences.
‘While the hack occurred in North America, the regulations will apply to any EU citizen’s data. Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation,’ he says.
Adding that the UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event, he adds that there is no doubt the regulator will come down hard and impose fines that would likely be in the tens of millions.
‘GDPR is a declaration that personal data is sacrosanct, and that organisations will be held to account if they misuse, abuse or conceal attacks on it. If Uber wants to continue its rise across Europe it has to reverse its attitude to hacks, come clean and work tirelessly to make its protections and reporting systems watertight.
‘It has much work ahead of it, but perhaps this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision,’ he adds.