Crash and burn: security fallout continues from Uber data breach

A car crash involving a van with a 'we stop leaks' logo

Last week, the ride-sharing service Uber admitted to a data breach involving personal details on 57 million users. Amid a seemingly constant stream of data breaches this year, this news catches the eye for several reasons. One, it’s a well-known company. Two, 57 million is a big number (even though it’s barely more than a third of the number of records leaked in the Equifax breach). Three, Uber has been in the spotlight for the questionable corporate culture under former CEO Travis Kalanick.

Drive my car

Culture matters because it may tell us a lot about how Uber deals with security issues. Uber is one of the companies leading the push to develop driverless vehicles. Some cars already rely so heavily on sensors, electronics components and connectivity that they are a security risk on wheels. A literal moving target for hackers.

Bloomberg broke the story. It said the compromised data included customer names, email addresses and phone numbers, as well as driver information including licence numbers.

Soon after, CEO Dara Khosrowshahi issued a statement confirming the news. “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”

Money (that’s what I want)

Arguably the most damaging revelation was that Uber had paid hackers $100,000 to hide the news. Unsurprisingly, its decision prompted vigorous debate. Prominent security journalist Brian Krebs asked on Twitter:

 

Dan Kaminsky, a widely respected security researcher, also had some sympathy for Uber’s predicament.

Other commentators weren’t so kind. Some pointed out the very obvious risk in trusting criminals to keep their word and say nothing about the breach. Katie Moussouris, one of the prime movers in the bug bounty movement, spent the following days making a clear distinction between ethical programmes for identifying security weaknesses in software, versus paying hush money.

A bigger issue is whether Uber fell afoul of regulators for its failure to disclose the breach. As Adrian Weckler reported in the Irish Independent, Uber falls under the Dutch regulatory regime, so it won’t have to pay fines in Ireland. Stateside, there’s a growing clamour for the company to appear before Congress to answer for what happened.

Ticket to ride

As with most security incidents, there are plenty of lessons to learn from Uber’s experience. If handled incorrectly, a breach can lead to a serious loss of career prospects. What’s more, we now know the breach happened in October 2016 but did not become public knowledge until November 2017. Waiting a year before disclosing a breach is hardly ideal. Regulations like the upcoming GDPR often oblige companies to report incidents that involve leaked personal data.

There is also the risk of collateral damage from a security perspective. Soon after the news broke, The Daily Beast reported the appearance of scam emails designed to trick recipients into revealing their Uber passwords. The messages were made to appear like genuine security alerts from the company, complete with authentic branding. This is now par for the course for scammers, as they exploit current events like Black Friday to fool people.

Leave a Reply

Your email address will not be published. Required fields are marked *