Uber hack: A lesson in how not to handle a data breach

stressed man

When Uber was hacked last year - losing 57 million drivers' and customers' details to cyber criminals - it decided not to tell anybody.

Instead it chose toconceal the data breachfrom everyone, even paying the hackers $100,000 to keep quiet and, Uber hoped, delete the data as promised.

When news of the breach came to light yesterday, however, the taxi app firm's cover up backfired, creating yet another PR disaster for a company struggling to reform its image.

Bruised and damaged, but intact, from investigations into its anti-competitive practices, losing its London operating licence, and even a complete overhaul of its business culture following allegations of systemic sexism, Uber now faces one more crisis before the end of the year.

Uber suffered the breach in October 2016 when hackers gained access to proprietary information stored on GitHub, which was then used to break into its Amazon Web Services account. Data belonging to 50 million customers was stolen as a result, including email addresses, phone numbers, and names.

An additional 7 million drivers also had their personal information accessed, including 600,000 US driver's licenses, Bloomberg reported.

Former CEO Travis Kalanick was alerted to the breach the following month, reports claimed, but Uber decided to hide the breach from authorities and buy the hackers' silence.

The hack, and subsequent cover up, took place during Kalanick's tenure as CEO. His successor, Dara Khosrowshahi, apologised for the cover up, promising Uber will learn from its "mistakes".

However, the episode should be an example to every business of how not to handle a data breach. As industry analyst Graham Cluley notes, "cock-ups are bad, but cover-ups can kill you".

"You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them," adds Cluley, in a blog post.

The UK's National Cyber Security Centre (NCSC) has since issued an alert to companies reminding them of the need to report cyber attacks immediately.

"The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim," the statement reads.

"We are working closely with other agencies including the NCA and ICO to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures," the NCSC adds. "Based on current information, we have not seen evidence that financial details have been compromised."

'Simple' hack strikes again

Many industry experts claim they're amazed as to how such a relatively simple hack could have affected a company as large as Uber.

"This is yet another case of user error trumping the best security measures readily available today. For an organisation as large as Uber, this is inexplicable," says Zohar Alon, CEO of cloud security firm Dome9.

"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organisation that is developing code, can and should implement whenever a software engineer checks in code to GitHub."

However, Equifax lost 145 million customers' details simply because it failed to patch a publicised flaw over summer (choosing to not disclose the breach for months afterwards). And plenty of firms have fallen foul of AWS's then-lack of default encryption for its S3 storage cloud.

Uber failed its 'social responsibility'

The lengths to which Uber went to keep the hack hidden is perhaps the most damaging revelation for Uber, particularly as Yahoo was facing criticism at the time for taking so long to disclose its own data breaches.

"Organisations like Uber have a social responsibility not only to do their best to protect the data they control, but to be transparent with their users about the risks to their identity," says Jeremiah Grossman, chief of security strategy at SentinelOne. "How an organisation responds to a breach is what really separates the good from the bad."

Rik Ferguson, vice president of security research at Trend Micro, argues that Uber's previous management "failed in their responsibility to their drivers, to regulators, to justice, and above all, to their customers".

While the initial shock of the revelation begins to set in, Uber will be cautiously awaiting the inevitable legal tremors that are likely to come sooner rather than later. The company already faces an investigation by the New York Attorney General over its handling of the breach, and according to Ken Spinner, VP of engineering at Varonis, other state authorities are going to be "salivating at the prospect of suing Uber".

"While there's no overarching federal regulations in place in the US, there's a patchwork of state regulations that dictate when disclosures must be made - often it's when a set number of users have been affected," said Spinner. "No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year.

"This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire."

Image: Bigstock

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.