Whilst a lot of news articles you will read today focus on the cover up of Ubers hack, not many will delve into the how and why of the actual data breach that should leave us questioning why big corporations we lend our sensitive information to do not take cybersecurity more seriously.
A hack that stole personal data of 57 million customers and drivers appears to of happened in October 2016. Covered up for over a year, the app we know and love paid $100,000 to hackers to ‘delete’ and keep the data breach quiet. Compromised data included names, email addresses and phone numbers from Uber riders around the world. The personal information of around 7 million drivers was also accessed, including 600,000 U.S. driver’s license numbers.
Uber CEO Dara Khosrowshahi wrote: “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”
Hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository GitHub. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.
It is important to note at this point that the fee of $100,000 in which Uber paid to hackers in exchange for their discretion and assurances that they delete the data was very unusual. In the world of cybersecurity we often suggest that once data has been compromised a sum of money is not paid, as there is no guarantee that the attackers will delete it or even return the data in the first place.
After learning about the Uber hack, key questions come into our minds, such as why did the engineers have access to 57 million records of personally identifiable information? Did Uber have any monitoring in place to alert them when such vast amounts of data were accessed?
What often happens when large scale breaches like the one Uber faced last year, is a crackdown and a shift in attitude towards cybersecurity and how detrimental it can be for companies who do not take it seriously. Cybercriminals are becoming more sophisticated by the day; they too can read code and execute code like the software developers’ big companies such as Uber employ to manage their apps.
Epidemics such as Crime as a Service (CaaS) are a real-time threat that sees professional hackers implement services for cybercrime that make data breaches, spear phishing attempts and ransomware attacks even more accessible to the everyday criminal.
We hope that Uber is serious about its claims to implement a shift in cybersecurity strategy, and a lesson for both companies and individuals that the threat of data theft is something which holds a lot of value in the wrong hands.