Uber Data Breach Demonstrates Need for Better User of Authentication, Data Encryption, and Faster Disclosure
Uber Technologies Inc. has fired its chief security officer (CSO) and one of his deputies for helping to cover up a 2016 data breach in which hackers stole the personal data of 57 million riders and drivers.
On 22 November, Bloomberg broke the news of security chief Joe Sullivan’s termination. Sullivan and his deputy apparently helped conceal the Uber data breach along with a payment of $100,000 the ride-sharing company made to those responsible for the attack. Their actions factored into Uber’s failure to report the data breach under state and federal law.
The Uber data breach occurred back in October 2016 when two attackers accessed Uber’s private GitHub page and abused credentials they obtained there to authenticate themselves on an Amazon Web Services (AWS) account used by the company to handle payments. It’s there that the attackers discovered the names, email addresses, and phone numbers of 50 million Uber riders around the world. They also discovered the personal information of 7 million Uber drivers including 600,000 driver’s license numbers.
Shortly thereafter, the attackers contacted Uber and demanded money. Sullivan and his deputy coordinated that payment and worked to hide what had happened.
Dara Khosrowshahi, CEO of Uber, regrets that the data breach and subsequent cover-up took place:
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
Khosrowshahi went on to clarify that the company reached out to the attackers at the time of the incident and “obtained assurances” that they had destroyed the data. For that reason, Uber feels the data stolen in the breach has not been abused in any way. The ride-sharing service also instituted additional safeguards on its cloud-storage accounts.
Jason Hart, VP and CTO for data protection at Gemalto, notes that Uber could and should have done things differently:
Three things should have been done better with regard to the Ubder data breach: faster disclosure, better use of encryption for the entire data lifecycle, and the use of access management including strong multi-factor authentication. Delay in disclosing erodes trust, and it belies the fact that breaches like this that access your data via cloud services are inevitable. The goal should not be to hide these breaches or even prevent them. It should be to make them secure breaches by taking a more intelligent, data-centric approach to security. This means knowing exactly where your valuable data resides, who has access to it, how it is transferred, and when and where it is encrypted and decrypted. All that needed to be done here was to secure access to the data and encrypt it; it’s what other organizations need to do in the future to avoid this.
One thing is clear. If companies are going to be more successful in combating data breaches, they will need to adopt a new mindset when it comes data security. For decades, the prevailing wisdom about cybersecurity has been that a perimeter “wall” should be built around the data and network to keep out intruders. This strategy of breach prevention has been the foundation of corporate data security for decades. The current breach epidemic shows us this approach is not working very well. What is needed is a Secure the Breach mindset. That means accepting the fact that data breaches are going to happen and moving security controls as close as possible to the data and the users accessing that data. That means using encryption to protect all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, managing access centrally to all resources and using multi-factor authentication. By embedding protection on the assets themselves you ensure that even after the perimeter is breached, the information remains secure.
You can learn more about the Secure the Breach mindset by downloading Gemalto’s Secure the Breach Manifesto.