Cybersecurity experts comment on the Uber data breach

Cybersecurity experts comment on the Uber data breach

(L-R) Vincent Weafer, Vice President for McAfee Labs; Chester Wisniewski, Sophos Principal Research Scientist; James Lyne, Sophos Cyber Security Advisor and James Chappell, CTO and co-founder, Digital Shadows

James Chappell, CTO and co-founder, Digital Shadows:

News that taxi app company, Uber, was hacked in 2016 – with statements confirming that 57 million customers and 600,000 drivers’ personal details were compromised and potentially stolen – should not really come as a surprise.

While you could be surprised that such an effective architect of the digital world would not be fully prepared for such an event, it does show that even the most tech-savvy businesses are open to the menace of data breaches and cyberattacks.

We don’t yet know the full picture of what happened at Uber, but their statement says that hackers accessed a ‘private’ area of GitHub, a Web-based data hosting service used by the app developers. That likely means one of two things:

1. That the ‘private area’ should have been private, but was not for some reason.
Or
2. It could mean that ‘private area’ is behind the GitHub login pages and some sort of compromise of GitHub must have occurred, most likely by credential stuffing or keylogging.

But what is absolutely certain is that this sort of attack should have been spotted sooner and ideally before significant data had been extracted. If basic login details were stolen, this is something Uber could have been monitoring for and prevented. The storage of sensitive IT system logins should not have been in that website in the first place. It appears in Uber’s case they found out about it when the hackers came asking for money to delete the stolen data – $100,000 (£75,000). Of course, there is little honour amongst thieves and whether paying the ransom had the effect of deleting the data as expected, only time will tell. Security firms often advise not to pay ransoms, as organisations can make themselves a more attractive target should their willingness to pay emerge.

Visibility for a business’s digital risks – the shadow they leave on the Internet through their business activities across the Surface, Deep and Dark Web – is a critical way to monitor for digital risk and the ability to recognise and respond quickly when something is wrong.

Knowing you have a problem is the first step in dealing with it. Cyberattacks are an all too common reality for business today – especially for those at the frontline in the digital revolution.

What is most concerning about this incident is the steps taken by Uber to notify people about the issue and describe what they have done to deal with it. A long period has elapsed since they were aware. Again, we don’t know the full details from Uber, but it is beholden on all businesses who have suffered a data breach to notify their staff, customers, suppliers and in some cases the regulator their data might be exposed, and it doesn’t seem like this happened until now some months after the event.

Bottom-line, no matter what your business is like, in the vanguard of the digital revolution, or a more traditional one, you need to have the ability to monitor both your own use of digital technologies, and manage your digital footprint, especially across third party sites like GitHub and others. Knowing your digital risk exposure is the only way you can monitor your digital risk itself, and be on top of incidents like this quickly and efficiently.”

Vincent Weafer, Vice President for McAfee Labs:

“This is yet another example of a fairly significant data breach, the sort of which is increasingly occurring across the industry. It is exposing personal information, email addresses, drivers’ addresses in this case, contact information, that can be used to more effectively customise attacks on individuals and organisations.

It appears the hack was successful because credentials that were used to access GitHub data or code were similar to those used to access Uber’s own data repository containing the personal information. It shows how attackers are trying to use credentials as a means of gaining entry inside organisations. Once a hacker has the credentials, he can move around inside an organisation without detection.

This is a good example of why people need to be very careful about how credentials are used and managed. We know attackers have been trying to track down administrator credentials – the keys to the kingdom – that allow them to move around within an organisation. Keeping those credentials separate and managing them should be a serious matter.”

Chester Wisniewski, Sophos Principal Research Scientist:

“Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”

James Lyne, Sophos Cybersecurity Advisor:

“Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. Not notifying consumers puts them at greater risk of being victimised with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”

Browse our latest issue

Intelligent CISO

View Magazine Archive