SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Experts share their opinions on Uber breach - some supportive, some scathing
Thu, 23rd Nov 2017
FYI, this story is more than a year old

In October last year hackers stole the personal data of 57 million customers and drivers from Uber - and the company only just revealed the news now.

The data that was stolen included names, email addresses and phone numbers of 50 million Uber riders and seven million drivers around the world, which included their driver's licence numbers.

“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as chief executive officer in September, said in an emailed statement. “We are changing the way we do business.

A number of experts have come forward to share their opinions on the huge news.

Jon Oliver, senior architect at security software vendor Trend Micro

“We do not encourage anyone to do what has occurred in this situation. Paying extortion money to keep breaches secret encourages additional cyberattacks. Since, the cyber criminals were able to monetise their breach, they are encouraged to attack other organisations, and in particular to return to the same company (since it was from their perspective a “paying customer”). Furthermore, there is no guarantee that the cyber criminals will follow through with any agreement. The data might be sold, or they may return to company with an increased extortion demand.

Organisations and businesses in Australia and worldwide should promptly report the breach to the affected people and to the appropriate authorities.

This minimises the impact on their customers and on the value of the stolen data. Reporting breaches promptly and being transparent makes your business less attractive to cybercriminals.

David Kennerley, director of Threat Research at Webroot

“Given the current climate around data security and breaches it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year. The fact is there is absolutely no guarantee the hackers didn't create multiple copies of the stolen data for future extortion or to sell on further down the line.

A security breach of this size will potentially damage any business' reputation, but how a company behaves following a breach is vital. Potential victims deserve to be informed as soon as possible, so they can better protect themselves going forward - from changing passwords, and being aware they are now prime phishing targets. Being open and transparent and keeping customers informed is key, you can't simply sweep these things under the carpet.

Chester Wisniewski, principal research scientist at Sophos

“Uber's breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren't caught while actively involved in a cover-up.

Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.

Corey Williams, senior director of Products and Marketing at Centrify

“While the cover-up is making the headlines, this hack was utterly preventable.

Unfortunately, companies continue to rely on a system of trust: Trust that a simple username and password is enough to know who is accessing their network and systems; trust that perimeter security has eliminated all of the bad actors within the network; and trust that once on the network or system that the user should have access to any data or commands.

While the Uber breach was large in terms of the 57 million customer and driver records lost, if the company had followed standard breach protocol by notifying authorities and impacted users, remediated the problem and laid out steps that they were taking to avoid future breaches, the impact would have been much less.

History is replete with examples of individuals and organisations turning manageable problems into serious crises simply by trying to hide the truth. Uber was obliged to notify regulators and the impacted users and drivers. Instead, they took extreme measures to hide the hack, paying $100,000 to the hackers to remain quiet and actively took steps to keep the truth under wraps.

Carlo Minassian, founder of LMNTRIX

"The new CEO's actions are refreshing and aligned to how a responsible company should behave.

Covering up breaches is a common instinct across many organisations once they realise they simply haven't done enough to keep their customer data secure.

Instead of facing the truth and losing customer trust, they choose to hide it and once the breach inevitably surfaces, the public outrage compounds with each month that has passed.

It boils down to human nature and their choices as individuals as opposed to a wider company decision in this case. Their CSO knew the last thing Uber needed at that point was more controversy, so he tried to do what he felt was best for the company and ultimately paid the price for it with his job."

Kevin Bocek, VP of Security Strategy and Risk Intelligence at Venafi

“The incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the  control of security teams.

Unfortunately, we frequently seen SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence  and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls.

Weak SSH protection is like a fleet of Ubers that have gone out of control; no one can stop them.

Amit Yoran, chairman and CEO at Tenable

"The Uber hack is just the latest example of a widespread culture of lackadaisical cyber practices and a lack of executive accountability --  this mischaracterises corporate risk and cripples cybersecurity efforts. Executives and organisations must be held accountable for both exercising a reasonable standard of care to protect their systems and their data and for discovering and disclosing breaches in a timely manner."

Michael Sutton, chief information security officer at Zscaler 

“In 2017, companies are judged more on the breach response than the breach itself. Yet again we're receiving a lesson in how not to respond.  We have two separate issues here. The first is legal. Uber undoubtedly violated numerous US and international data breach disclosure laws by failing to inform drivers and users that their personal information had been compromised. The second concern is ethical.

Uber, a company that had already exhibited questionable judgement on a number of occasions, chose to go to significant lengths to bury a data breach rather than protect their customers and drivers. Even after they had paid criminals to make their problems go away, they had no assurance that the compromised data couldn't still used. The criminals could well have kept or sold the data even after the payment was received. This response goes well beyond unprofessional behaviour all the way to gross negligence and will no doubt come with legal consequences.

Ilia Kolochenko, CEO of High-Tech Bridge

"I think the most important thing now is to ascertain that the alleged scope of the breach is not mistakenly underestimated or deliberately concealed. Uber is a very attractive target for professional hackers, from Black Hat mercenaries to nation-state groups. The uncovered incident may be just a tip of the iceberg. Taking into consideration currently available but not yet confirmed facts, the root cause of the incident is Uber's banal negligence.  Nonetheless, it's too early to blame anyone or to make any ultimate conclusions unless remaining technical details will be properly investigated and publicly disclosed. Speaking about the legal side of the breach, it will likely bestow on Uber a wide spectrum of lawsuits in different jurisdictions and quite painful sanctions."