The massive data breach was kept quiet for a year, and hackers were even paid $100,000 to hush it up. Here's what happened and how Uber's response could have been better.
A blog post from Uber CEO Dara Khosrowshahi revealed that the ride share company suffered a massive data breach in 2016.
Two hackers, Khosrowshahi said, made off with the personal information of 57 million Uber users, as well as the names and driver's license numbers of 600,000 Uber drivers.
Khosrowshahi further claims that the attack only targeted an unnamed cloud service used by Uber, and that the company's own servers were never breached. As to why the attack is only now being reported, Khosrowshahi said it's because it's the first he's heard of it.
To make matters worse, it came out that Uber had actually paid the two hackers $100,000 to keep quiet and delete the data they stole, and there's no way to know if the hackers kept up their end of the deal.
Uber's hack is just the latest in a long line of major data breaches. What makes Uber's so bad is both its timing and the year-long cover up that accompanied it.
How the Uber hack happened
According to Bloomberg, the hack happened in October 2016 and involved two attackers. They managed to get into a private GitHub repository used by Uber, and from there extracted credentials that allowed them access to an AWS account that Uber used to handle computing tasks.
After snagging a massive bounty of personal data, the hackers contacted Uber to ask for money. Uber met the hacker's demands with the stipulation that they delete the info they stole and keep quiet about the incident.
SEE: How to calculate the cost of data breaches (TechRepublic)
During the incident Uber was in negotiations with the FTC over its handling of user data and had just settled a lawsuit in New York over data security disclosures under Uber's former CEO, Travis Kalanick.
How a breach response should happen
The delayed public response to this hack will raise further questions about the scope of Uber's transformation after ousting Kalanick, who presided over a host of scandals and chaos at the company. Uber is already in hot water with regulators in the US and the UK. This breach is only going to fan the flames.
So how should Uber have responded to a breach on this large a scale? For starters, said Peter M. Tran, GM and senior director at security firm RSA, "negotiating with cyber-criminals in any breach should NEVER be part of it."
SEE: Computer Hacking Forensic Investigation & Penetration Testing Bundle (TechRepublic Academy)
Uber's breach can provide practical lessons for any company with sensitive data stored in the cloud, which Tran reminds us is everyone in the modern world. Every business is a data business, he said, and when security is compromised at just one company it can cause a ripple effect that touches everyone.
Tran said the first 48 to 72 hours are the most critical, during which security teams should work to "identify, contain, communicate and remediate a breach." Tran added that breaches are not isolated IT incidents: They affect the company, its stakeholders, its customers, the government, other businesses ... anyone who could be even slightly affected by the theft of data.
Reacting to a breach like Uber did, Tran said, is exactly what not to do. What should have happened was an immediate admission of the breach, along with a clear, effective response plan. "When you break the integrity of managing risk during and after a data breach," Tran said, "[the] exposure can be catastrophic to the long term resiliency of a business."
The top three takeaways for TechRepublic readers:
- A 2016 security breach at ride share company Uber resulted in the theft of 600,000 driver's licenses, along with personal data on 57 million riders.
- Uber reportedly paid the attackers $100,000 to keep the attack quiet and delete the data. It's unknown whether or not the attackers actually complied with the request.
- Companies experiencing a large data breach should notify stakeholders, law enforcement, and customers immediately and should never give in to attacker demands.
- How Uber's toxic culture forced Kalanick out (TechRepublic)
- Uber app can silently record iPhone screens, researcher finds (ZDNET)
- Ditching Uber? 8 alternatives for professionals (TechRepublic)
- Uber says unauthorised transactions in Singapore not linked to global breach (ZDNET)
- IT leader's guide to big data security (Tech Pro Research)