Security Central: Car-astrophe Wrecks Uber
It was recently disclosed that Uber has had a pretty massive skeleton in its closet for quite some time. The transportation app company revealed that it concealed a data breach for more than a year, according to a report by Bloomberg.
The breach was conducted by two hackers, who accessed the personal data of 57 million users last year. The breach exposed the names, email addresses and phone numbers of customers and drivers alike across the globe back in October 2016. Uber stated that the exposed data was stored on a third-party cloud-based service, but did not damage or affect internal systems or infrastructure.
The company doesn’t think that credit card details, bank account numbers, dates of birth or trip location history was exposed. However, Uber chief executive Dara Khosrowshahi said the names and driver’s licence numbers of approximately 600,000 drivers in the US were exposed, along with the information of 57 million users.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.”
Ok well, you get an A for effort Dara, but is it too little too late? Zohar Alon, co-founder and CEO, Dome9, weighs in on the matter, saying that this is yet another case of user error trumping the best security measures that are readily available today. “For an organization as large as Uber, this is inexplicable,” says Alon. “There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys.”
Alon goes on to say that this is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub. “Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”
Here’s what happened. The two hackers attackers wormed their way into a private GitHub coding site used by Uber software engineers, obtained the necessary login credentials and accessed data stored on an Amazon Web Services (AWS) account that handled computing tasks for the company. From there, the hackers struck gold, uncovering a glittering archive of rider and driver information. Then, they sat on it for awhile. When they made their move, the devious duo emailed Uber asking for money. Because of course they did.
Several state and federal laws require companies to alert people and government agencies when sensitive data breaches occur. Instead of doing this, Uber remained silent and swept the issue under the rug, opting to bury its head in the sand.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
From a security and provider standpoint, there is something indeed extremely shady about this breach. It’s not just that Uber, a massive company/empire, was breached, but what’s most alarming are the extreme measures Uber took to hide the attack.
Morey Haber, vice president of technology at BeyondTrust has a bluntly honest, colorful take.
“There is something deeply disturbing about this breach,” says Haber. “Come to think of it, there are multiple things disturbing about this breach. As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong. There are so many of them, and every business should consider these as lessons learned and not make the same mistakes.”
Clearly, their new executive team gets it, but the former CEO and legal officers were clueless. This is just another case of privileges being used in a targeted attack, hackers demanding ransom for stolen information, and companies not being morally responsible for the stolen user data. Sigh…
Stephan Chenette, CEO and Co-Founder, AttackIQ, says that we continue to see security control misconfigurations that result in costly breaches. “Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber,” says Chenette. “What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”
Ok so yes, it’s a huge failure on Uber’s part. And yes, hopefully they learned their lesson. But what do we do? There’s some wisdom to be gleaned from this, believe it or not – however simple. Manoj Asnani, VP Product and Design, Balbix states that stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data.
“Most security solutions do not provide visibility into breach risk from password reuse,” says Asnani. “Predictive security solutions can look at the password behavior of users – including sharing of passwords across personal and corporate use – and flag that risk. With this kind of a solution, Uber would have been able to see developers sharing the same passwords for Github and AWS accounts and taken action to prevent this breach.”
So, what’s the answer? Predictive security solutions? An all-around protection structure? What are you seeing with customers? What are their concerns?
The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.