Last week, the ride-sharing service Uber admitted to a data breach involving personal details on 57 million users. Amid a seemingly constant stream of data breaches this year, this news catches the eye for several reasons. One, it’s a well-known company. Two, 57 million is a big number (even though it’s barely more than a third of the number of records leaked in the Equifax breach). Three, Uber has been in the spotlight for the questionable corporate culture under former CEO Travis Kalanick.
Culture matters because it may tell us a lot about how Uber deals with security issues. Uber is one of the companies leading the push to develop driverless vehicles. Some cars already rely so heavily on sensors, electronics components and connectivity that they are a security risk on wheels. A literal moving target for hackers.
Bloomberg broke the story. It said the compromised data included customer names, email addresses and phone numbers, as well as driver information including licence numbers.
Soon after, CEO Dara Khosrowshahi issued a statement confirming the news. “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
Arguably the most damaging revelation was that Uber had paid hackers $100,000 to hide the news. Unsurprisingly, its decision prompted vigorous debate. Prominent security journalist Brian Krebs asked on Twitter:
Serious question: How is what Uber did any different from companies paying to get files back after ransomware infections? In the latter case, the victim org (at least during the initial scramble/emergency) probably doesn't know whether the attackers have local copies of the data
— briankrebs (@briankrebs) November 22, 2017
Dan Kaminsky, a widely respected security researcher, also had some sympathy for Uber’s predicament.
Uber paid $100K to protect 57M people?
I think people forget the goal is actually to prevent harm.
Yeah, those hackers could totally have kept the data. But then, their identities were known, and they knew they might face consequences.
Not ideal, welcome to the real.
— Dan Kaminsky (@dakami) November 21, 2017
Other commentators weren’t so kind. Some pointed out the very obvious risk in trusting criminals to keep their word and say nothing about the breach. Katie Moussouris, one of the prime movers in the bug bounty movement, spent the following days making a clear distinction between ethical programmes for identifying security weaknesses in software, versus paying hush money.
A bigger issue is whether Uber fell afoul of regulators for its failure to disclose the breach. As Adrian Weckler reported in the Irish Independent, Uber falls under the Dutch regulatory regime, so it won’t have to pay fines in Ireland. Stateside, there’s a growing clamour for the company to appear before Congress to answer for what happened.
As with most security incidents, there are plenty of lessons to learn from Uber’s experience. If handled incorrectly, a breach can lead to a serious loss of career prospects. What’s more, we now know the breach happened in October 2016 but did not become public knowledge until November 2017. Waiting a year before disclosing a breach is hardly ideal. Regulations like the upcoming GDPR often oblige companies to report incidents that involve leaked personal data.
There is also the risk of collateral damage from a security perspective. Soon after the news broke, The Daily Beast reported the appearance of scam emails designed to trick recipients into revealing their Uber passwords. The messages were made to appear like genuine security alerts from the company, complete with authentic branding. This is now par for the course for scammers, as they exploit current events like Black Friday to fool people.