Security Panel: What On Earth Was Uber Thinking?

News that Uber was hacked in 2016, and subsequently concealed it from users, has been the main topic of conversation among the cybersecurity community today.

While most have welcomed the company’s decision to public, observers are astounded at the cover up and the fact that Uber’s former management paid $100,000 to the attackers with no guarantee that the data had been safely disposed of.

Reports of class-action lawsuits and regulatory investigations are already emerging, but what can your business learn from this incident? Our panel of experts suggest the complete opposite to what Uber did more than a year ago.

Jamie Graves, ZoneFox CEO

“The most disturbing aspect of the Uber case is that they paid money to those responsible to destroy the data. As we have seen in numerous other cases, these gangs are the last group of people to be trusted. For example, ransomware distribution groups often will not decrypt the data they have locked away after receiving payment.

“So how do we know all of the data has been deleted? And how do we know that some accounts weren’t ‘cherry-picked’ for belonging to high-net users and then sold to the highest bidder? Uber CEO Dara Khosrowshahi wants to ‘change the way they do business’ – a thorough and immediate independent investigation into this attack would be a good place to start.”

Raj Samani, Chief Scientist and Fellow at McAfee

“As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect. Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this.

“In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cybercrime and the company needs to be held accountable for this.”

David Kennerley, Director of Threat Research at Webroot.

“Given the current climate around data security and breaches it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year. The fact is there is absolutely no guarantee the hackers didn’t create multiple copies of the stolen data for future extortion or to sell on further down the line.

“A security breach of this size will potentially damage any business’ reputation, but how a company behaves following a breach is vital.  Potential victims deserve to be informed as soon as possible, so they can better protect themselves going forward – from changing passwords and being aware that they are now prime phishing targets. Being open and transparent and keeping customers informed is key, you can’t simply sweep these things under the carpet. “

Rik Ferguson, Vice President Security Research at Trend Micro

“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to their customers, and that’s a pretty long list.

“However certain those responsible may have been that their attackers had been silenced, digital theft does not work the same way as in the physical world, you can never “buy back the negatives” once data has been stolen.

“It is heartening to see the new management team come clean about the breach, but I remain concerned at some of the wording in Mr. Khosrowshahi’s blog. He appears to distance Uber’s ‘corporate systems and infrastructure’ from the “third-party cloud-based service” that was the target of the breach. This is perhaps indicative of the root of the problem. Cloud services adopted by a business are corporate systems and infrastructure and from a security perspective should be treated as such.

Terry Ray, Imperva CTO

“As reports have noted, the hack wasn’t sophisticated — the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info.

“Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.

“Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.”

Quiz: What do you know about transport technology?