Veiled among all the holiday and political news Uber disclosed hackers accessed the personal information of 57 million riders and drivers in 2016, a breach it didn’t announce until last week.
Uber paid hackers a $100,000 ransom to destroy the data at the time of the breach, and did not tell regulators or users. Uber said it received assurances of the data’s destruction.
Dara Khosrowshahi, the new Uber CEO, said two hackers stole company data in late 2016 including personal information such as phone numbers, email addresses, and names, of 57 million Uber users. The hackers also stole 600,000 license numbers of company drivers.
Khosrowshahi said he only recently learned of the breach. “None of this should have happened, and I will not make excuses for it,” he said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
“There was certainly a culture problem at Uber. The decision to cover up a data breach comes from the top, and requires the buy-in of other execs, who have now paid the price. The outgoing security officer, out of a misguided sense of loyalty, must have corrupted his ethical beliefs to facilitate the poor choices made in dealing with this,” Andy Norton, Redwood City, Calif.-based Lastline’s Director of Threat Intelligence, held.
“Hopefully it will act as a warning for other companies who get extortion demands from hackers not to pay the ransom, and not cover up the breach of personally identifiable data on customers and employees,” Norton advised. “It appears the new CEO at Uber has proactively decided to disclose the 2016 breach, probably for the purposes of building a foundation on which to establish a solid reputation for strong governance and balanced risk management.”
Norton added the disclosure arrives before the deadline of GDPR, of which this would be a poster child example. The EU’s General Data Protection Regulation, slated for a May 25, 2018 rollout, changes the handling of personal and corporate data particularly in terms of PII. Norton suggested based on 2016 revenues, Uber would be looking at a 65 million dollar fine, 4% of revenue, if European customer data was in the breached database.”
Morey Haber, vice president of technology at Phoenix-based BeyondTrust, stated “As a security professional, I am baffled by these events and not sure how to even prioritize the things they did wrong. “very business should consider these as lessons learned and not make the same mistakes.”
Haber listed some other concerns:
- The breach occurred due to a failure to secure credentials on a Github site used by engineers. Then leveraging stolen privileges hackers gained access to Amazon AWS instances that support Uber and compromised an archive file containing the data.
- Uber maintained no stolen information showed up in any other attacks or incidents (for now).
- Uber agreed to an FTC settlement three months ago over privacy concerns, without admitting wrongdoing, and before telling the agency about the breach – thus completely misleading the government!
“Clearly, their new executive team gets it, but the former CEO and legal officers were clueless. This is just another case of privileges being used in a targeted attack, hackers demanding ransom for stolen information, and companies not being morally responsible for the stolen user data,” Haber added.
Forty-eight states have security breach notification laws, including California, Uber’s home state. State Attorneys General from New York and Massachusetts opened investigations into the data breach.
“American consumers deserve better from the companies they’ve entrusted with their financial information,” NAFCU President and CEO Dan Berger has said about these types of breaches. “Our country should already have a national data security standard in place for retailers and merchants, but we don’t and it’s extremely frustrating. How many more data breaches do consumers need to suffer before these companies are held accountable?”
