Not just your average major technology breach
The Uber hack disclosed publicly on 21 November 2017 raised several concerns that go beyond it being just another major technology breach. While there are obvious questions around how sensitive information could have been allowed to be compromised and how the ride-hailing firm should make amends to those affected, there is ample scope for criticism about the way it responded to the attack, its apparent cavalier approach to corporate governance, and its general risk management.
If a high-profile operation like Uber can foul up like this, there are important lessons for every board in every business. Whatever measures you put in place, security breaches can and do happen. The vital thing is to be able to manage the fallout effectively, not to go to extreme measures to hush it up. Uber seems to have got things so badly wrong that its entire business may be jeopardised.
Among the factors that make this breach so significant are that:
- Uber decided to pay a ransom.
- Uber deliberately did not inform its regulators, and tried to hush up the scandal.
- Information about the breach was deliberately concealed from those affected.
- Even Uber’s board seems to have not known what had happened.
- Data location and privacy issues mean that regulators worldwide are taking a keen interest.
- Hacked data was used to access a cloud service.
In October 2016, two attackers gained access to a private GitHub coding site associated with Uber engineers, and then used the login credentials they’d obtained to access data stored on an Amazon Web Services (AWS) data store. They found an archive of personal information, and demanded $100,000 from Uber to destroy all the records they’d copied.
Although required by law to disclose the breach, Uber’s chief information security officer (CISO) agreed to pay the ransom and hushed the whole thing up. Uber drivers – and potentially customers – whose information was compromised were not informed of the incident. 57 million people were affected (admittedly, nowhere near as many as the recent Equifax breach, for example, but still very significant). Uber’s incoming CEO supposedly only discovered what had been going on after the firm’s board commissioned a third party investigation.
The legal and regulatory implications
The legal and regulatory implications arising from the Uber hack seem certain to rumble on for years. And not just in the US. The UK Information Commissioner’s Office (ICO) has said it has “huge concerns” about the company's data protection policies and has launched its own investigation into Uber's decision to cover it up.
James Dipple-Johnstone, the ICO’s deputy commissioner, confirmed in response to the Uber news that: “deliberately concealing breaches from regulators and citizens could attract higher fines for companies.” At the moment firms that operate in the UK can currently be fined up to £500,000 for failing to inform people if their data is stolen. Under the EU's general data protection regulation (GDPR), due to come into force in May 2018, companies could face fines of £17m or 4% of their global turnover, whichever is higher.
The investigations will doubtless examine the undertakings that Uber received that the stolen data was destroyed once the ransom was paid. Paying off hackers in this way and trying to avoid breach disclosure is thought to be rare, but there are never any guarantees that the criminals will keep their side of the bargain.
As for the individuals affected, Uber said in a statement to drivers that it would offer those affected free credit monitoring and identity theft protection, but that’s unlikely to go far enough. Whatever happens to Uber, it can expect to face plenty of lawsuits and fines worldwide over this incident.
Governance, risk management and breach response
While the Uber situation is unusual inasmuch as its CISO at the time himself appears to have been personally implicated in the scandal, the fact is that Uber’s board didn’t appreciate what was going on or what to do about it. And responsibility stops with the board. If the organisation’s governance and risk management isn’t in order it’s difficult to nip problems in the bud.
According to 2017 research from industry forum ClubCISO, CISOs in the UK think boards prioritising incident prevention over response capability and aren’t facing up to the likelihood of breaches. That’s why many CISOs feel they’ll be expected to clear up the mess when firms fail to prepare adequate incident response strategies. As ClubCISO’s Security Maturity Report 2017 puts it: “It seems inevitable that organisations are going to suffer data breaches at some time. It is people (acting maliciously or – more usually – naively) that create most vulnerabilities, not failings in technology, policies or processes.”
In other words, Uber should not only have made sure there were ways to make sure its board knew about the incident when it occurred but should also have prepared its response to such an eventuality in advance. Good advice for us all.
What about cloud security?
The Uber incident does provide a few pointers for organisations storing data in the cloud. As noted above, Uber happened to be using AWS. There’s nothing to suggest that anything was wrong with AWS’s security, but the story does once again highlight that it’s the customer’s responsibility to look after its own data, whether stored on-premises or in the cloud.
The key points here are that it was Uber’s own security that was breached, enabling access to the GitHub and AWS accounts. Whatever protocols, policies and tools Uber had in place, they weren’t doing their job. What’s more, Uber committed the cardinal sin of data protection – it appears to have failed to encrypt the data on the AWS server.
Learn from your mistakes
This isn’t the first time Uber’s been in hot water over data security. 100,000 drivers were apparently compromised in 2014, and in August 2017 it had to agree to 20 years of privacy audits to settle data mishandling investigations.
According to The Register, “On May 12, 2014, an Uber engineer uploaded to GitHub the keys to an Amazon S3 bucket containing internal records on thousands of drivers. Someone spotted the key and used it to access over 100,000 unencrypted names and driver’s licence numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers from the AWS bucket. Uber didn’t even discover the mistake until September 2014.”
If that sounds familiar, it’s because it was EXACTLY the same way the latest Uber hack occurred. The difference this time is that it took a year instead of four months for the incident to come to light.