Uber Again Shows How not to Deal with a Breach

29 Nov 2017
Posted in: 

Uber, the popular ride-hailing company, has an impressive history of making the news for almost all of the wrong reasons. This has happened to the extent that investors forced co-founder and ex-CEO Travis Kalanick to step down, paving the way for the new CEO Dara Khosrowshahi to pick up the pieces from past indiscretions. In the most recent case of terrible news for the company, hackers stole names, email addresses and phone numbers of 50 million Uber riders around the world and the personal information of about 7 million drivers, including some 600,000 U.S. driver’s license numbers. The company has stated that no Social Security numbers, credit card information, trip location details, or other data were taken.


Uber pays hackers $100,000

In an article published by Bloomberg, it was revealed that Uber paid the hackers responsible for the breach $100,000. The amount was paid in order to get the hackers to delete the stolen data that was taken over a year ago in October 2016. The payment can be seen as an attempt to sweep the incident under the rug and not inform the Federal Trade Commission or those potentially affected by the stolen data.

At the time of this incident, Uber was in negotiations with US regulators who were investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. After Uber’s disclosure on Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack. Adding more fuel to the fire, the company is being sued by a customer for negligence due to the breach. Uber contends that it believes the information was never used, but declined to disclose the identities of the attackers. US Authorities may not be willing to accept such a failure to disclose the hackers identities believed to be two individuals.

Data breaches happen to the biggest companies. Many of those companies handle the breach in a respectable manner by informing authorities and all those affected, however Uber decided not to follow best practices. In November 2016, it has been reported that Travis Kalanick was informed about the hack, but no disclosure was made. This decision may have been influenced by Uber settling a lawsuit with the New York attorney general over data security disclosures and was also at the time of negotiating with the Federal Trade Commission over the handling of consumer data. Travis Kalanick has refrained from commenting on this latest scandal, causing another headache for his successor. As a result, Joe Sullivan, the security officer who spearheaded the response to the hack last year, has been asked to step down. He is currently been investigated by a private law firm on a recommendation of the company’s board.


How the hack occurred

The hack occurred by two attackers gaining access to Uber’s private GitHub site. Then, they used the stolen credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, which we now know Uber willingly paid in order to keep the incident under wraps.

In an attempt to lessen the damage, Khosrowshahi said, “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.” He went on to say, “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” Unfortunately, for a company that has developed a reputation for bending if not breaking the rules, such comments fall on deaf ears. To date, the U.S. has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes, and theft of a competitor’s intellectual property. The San Francisco-based company also faces dozens of civil suits. Adding to their domestic troubles, Uber also faces U.K. regulators such as the National Crime Agency, who are also looking into the scale of the breach. London and other governments have previously taken steps toward banning the service, citing reckless behavior by Uber.


Dealing with headaches of the past

In January 2016, the New York attorney general fined Uber $20,000 for failing to promptly disclose an earlier data breach in 2014. It would seem that very few lessons were learned by those at Uber. The new CEO Khosrowshahi has made it his personal crusade in correcting Uber’s less than savory reputation. Khosrowshahi asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan. In another effort to lessen the overall damage of this latest scandal, Uber has hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser. Part of his new role will be to help restructure the security teams and hopefully implement an incident response policy not governed by hiding, but by responsibly disclosing such incidents. Uber has also hired Mandiant, a cybersecurity firm owned by FireEye Inc., to investigate the hack.


As to the drivers affected, Uber will be providing free credit protection monitoring and identity theft protection. In a statement to the press and public, Uber stated that no evidence of fraud or misuse tied to the incident was found, however, they are monitoring the affected accounts and have flagged them for additional fraud protection. The new CEO stated at the end that “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”






Contact Us