Uber Concealed Massive Data Breach

The breach involved the data of 57 million users being stolen


News broke overnight that the ride hailing giant Uber have disclosed a data breach that they previously attempted to cover up, taking place in 2016. The breach involved the data of 57 million users being stolen, and the company subsequently paying hackers £75,000 to delete the data.

Terry Ray, CTO, Imperva said: "As reports have noted, the hack wasn’t sophisticated — the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info, according to the report.

"This appears to be a prime example of good intentions gone bad. Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon.  The problem begins with why live production data was used in an online platform where credentials were available in github.  

"Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.

"Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.  

"There have been data masking solutions available for more than a decade that transform production data into ‘like’ production data for development and testing purposes, thereby fully eliminating this risk, yet some don’t take such best practices or even fundamental security practices into consideration before asking for and using the public’s data. Uber is not alone, as many of these articles point out, they are simply this week’s hot breach due to the scope of the exposed data and the way they handled the incident.  

"In the digital age, it is common in organizations that many employees and affiliates need access to a large amount of the company’s data simply to do their job. Thus, controlling data access becomes one of the most challenging tasks of security officers. The result is that most certainly, there will be another breach next week."

Ryan Wilk, VP at NuData Security said: "While the news of the Uber breach is never something you want to hear, it is refreshing to see a company taking such quick and decisive action to earn back the consumers trust. Uber CEO, Dara Khosrowshahi’s statement that there is no excuse for what happened and that Uber will be putting integrity and trust at the core of every business decision is a welcome message."

Josh Mayfield, director at Firemon said: "In the wake of the most recent cyberattack hitting rideshare service, Uber, makes clear the relevance for security in hyper-growth companies.  Often, organizations experiencing a meteoric rise, fail to keep up with security disciplines that can lead to, say…50 million customer records being stolen.

"It stands to reason that if Uber cannot keep its data secure, it is time to start thinking differently.  Businesses and cyber threats move at a break-neck speed, making it increasingly difficult to keep pace with the latest malware mutations and cyberattack tactics.

"It is not from lack of investment that data breaches happen. But, the investments do not reflect the security intent into the most valuable information assets. Anyone can become cyber-resilient with the concerted discipline to focus on assets and form global policy controls, informed by security intent.

"In a business like Uber, where you have computing resources flying around the world, in-and-out of clouds, you have a security policy that follows the system – protecting it no matter where it goes."

Tags assigned to this article:
data breach users stolen


Around The World