Uber Data Breach Fallout: Alleged Coverup By Chief Security Officer, Attorney
Uber, the ridesharing company that operates in 633 cities worldwide, suffered a data breach in October 2016 that allegedly was concealed by Chief Security Officer Joe Sullivan and in-house attorney Craig Clark, according to Bloomberg.
The Uber data breach affected approximately 50 million customers and 7 million drivers, Bloomberg stated. In addition, 600,000 U.S. driver’s license numbers were compromised during the breach.
How Did the Uber Data Breach Happen?
Two cyberattackers obtained access to a private GitHub coding site used by Uber software engineers, Bloomberg indicated. Here, the hackers discovered login credentials for an Uber Amazon Web Services (AWS) account.
Next, the hackers accessed an archive of Uber rider and driver information. They then requested money from Uber, and Sullivan and Clark paid $100,000 to the hackers to delete the compromised data and hide the cyberattack, Bloomberg indicated.
The data breach did not involve Uber’s corporate systems or infrastructure, Uber CEO Dara Khosrowshahi said in a prepared statement. Furthermore, there is no indication that Uber customers’ trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.
How Is Uber Responding to the Data Breach?
At the time of the data breach, Uber took steps to secure the compromised information and shut down further unauthorized access by the hackers, Khosrowshahi stated. The company obtained assurances that the downloaded data had been destroyed, Khosrowshahi indicated, and implemented security measures to strengthen controls on its cloud-based storage accounts.
Conversely, Uber failed to comply with state and federal laws to notify affected stakeholders about the data breach and did not report the hack of driver’s license information, Bloomberg reported.
Khosrowshahi has asked for the resignation of Sullivan and fired Clark, Bloomberg reported. New York Attorney General Eric Schneiderman has launched an investigation into the breach as well.
Moreover, Uber is notifying the drivers whose driver’s license numbers were downloaded about the data breach. The company also is providing these drivers with free credit monitoring and identity theft protection services.
What Can MSSPs Learn from the Data Breach?
Ultimately, the Uber data breach shows that no company is immune to cyberattacks. And if an MSSP fails to notify end users about a data breach, it may put its brand reputation and revenues in danger.
“Not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure,” James Lyne, cybersecurity advisor at security software and hardware company Sophos, told MSSP Alert.
The Uber data breach also highlights the importance of using password protection measures to safeguard sensitive information. Fortunately, MSSPs can provide end users with predictive security solutions to help these users identify and address password protection issues.
“Predictive security solutions can look at the password behavior of users – including sharing of passwords across personal and corporate use – and flag that risk. With this kind of a solution, Uber would have been able to see developers sharing the same passwords for Github and AWS accounts and taken action to prevent this breach,” Manoj Asnani, vice president of product and design at enterprise breach risk solutions company Balbix, told MSSP Alert.