James Chappell, CTO and Co-Founder, Digital Shadows, says:
“News that the darling of the disruptive digital age, taxi app company Uber, was hacked in 2016 with statements confirming that 57 million customers and 600,000 drivers’ personal details were compromised and potentially stolen should not really come as a surprise.
While you could be surprised at such an effective architect of the digital world would not be fully prepared for such an event, it does show that even the most tech-savvy businesses are open to the menace of data breaches and cyber-attacks.
We don’t yet know the full picture of what happened at Uber, but their statement says that hackers accessed a ‘private’ area of GitHub, a Web-based data hosting service used by the app developers. That likely means one of two things:
1. That the ‘private area’ should have been private, but was not for some reason.
Or
2. It could mean that ‘private area’ is behind the GitHub login pages and some sort of compromise of GitHub must have occurred, most likely by credential stuffing or keylogging.
But what is absolutely certain is that this sort of attack should have been spotted sooner and ideally before significant data had been extracted. If basic login details were stolen, this is something Uber could have been monitoring for and prevented. The storage of sensitive IT system logins should not have been in that website in the first place. It appears in Uber’s case they found out about it when the hackers came asking for money to delete the stolen data – $100,000 (£75,000). Of course, there is little honour amongst thieves and whether paying the ransom had the effect of deleting the data as expected, only time will tell. Security firms often advise not to pay ransoms, as organisations can make themselves a more attractive target should their willingness to pay emerge.
Visibility for a business’s digital risks – the shadow they leave on the Internet through their business activities across the surface, deep and dark web – is a critical way to monitor for digital risk and the ability to recognise and respond quickly when something is wrong.
Knowing you have a problem is the first step in dealing with it. Cyber-attacks are an all too common reality for business today – especially for those at the front-line in the digital revolution.
What is most concerning about this incident is the steps taken by Uber to notify people about the issue and describe what they have done to deal with it. A long period has elapsed since they were aware. Again, we don’t know the full details from Uber, but it is beholden on all businesses who have suffered a data breach to notify their staff, customers, suppliers and in some cases, the regulator, their data might be exposed, and it doesn’t seem like this happened until now- some months after the event.
Bottom-line, no matter what your business is like – in the vanguard of the digital revolution, or a more traditional one, you need to have the ability to monitor both your own use of digital technologies, and manage your digital footprint even and especially across third party sites like GitHub and others. Knowing your digital risk exposure is the only way you can monitor your digital risk itself, and be on top of incidents like this quickly and efficiently.”
Dan Sloshberg, cyber resilience expert, Mimecast, commented:
“Uber had both the legal and social obligation to inform governments and customers of this attack, and the fact the company chose to pay hackers and hide the massive breach is shocking. Pretending that an attack hasn’t happened, or quietly paying attackers off only emboldens perpetrators further.
“With the General Data Protection Regulation (GDPR) coming into effect in May 2018, businesses must report breaches within 72 hours or face crippling fines much bigger than what Uber paid to hackers.
Businesses need to realise that the impact of breaches can be very serious – with knock-on effects on the organisation itself, employees and customers. To combat threats and ensure they remain compliant ahead of the GDPR, organisations must invest in minimising their risk appropriately with an appropriate cyber resilience strategy. This should also include a plan if something does go wrong.”