Uber is back in the hot water again after it has revealed that over 57 million records were exposed in a 2016 data breach, which it subsequently covered up. This news comes not long after Uber ousted founder and CEO Travis Kalanick, who was suceeded in August by Dara Khosrowshahi. Kalanick was forced out of his own company due to a litany of scandals, and now Khosrowshahi is keen to do things the right way – hence the fresh statement declaring the breach. However, this has put Uber into a very troubling situation as not only do they face legal action for covering up a data breach, but it has also revealed an incredibly poor security culture within the company.
Traditionally, cyber security has been seen as an IT department’s problem. They make sure everyone has antivirus on their PCs and take care of the firewall – and as long as they’re doing it right, then everyone else is safe… right? This has lulled users and business owners into a false sense of security of late, believing that cyber security simply isn’t their area or that it’s not in their job description. However, this attitude is now being taken advantage of in a big way by cyber criminals, who have discovered that individual users are much easier to target and deceive. As a result, users often takes actions which inadvertently allows the hackers to bypass the IT security systems. Traditional antivirus is dead, and even more advanced next-generation antivirus simply can’t stop the most deadly attacks. Now, everyone in an organisation has a part to play in keeping it secure, from the bottom all the way up to the CEO.
Hackers are now finding it easier to target regular users, who often lack cyber security training, than to try and bypass complex technical measures put in place by IT
Recently, car insurance and breakdown cover provider AA faced accusations of covering up the severity of a data breach that occurred in April of this year. The AA, through their customer support Twitter, chose to downplay reports of the breach and assured users that no credit card or other sensitive data had been exposed. Data was leaked from their online shop due to a server misconfiguration. However, this server contained data on over 100,000 AA customers, and included partial credit card data. Despite knowing about this breach for over two months, it wasn’t until the cyber security community cried out in outrage that AA eventually admitted to the severity of the breach. No customers were notified by the AA directly.
No customers that were impacted were directly notified by the AA, despite the breach being discovered in April.
For those of you who may not have heard of the Cyber Essentials scheme, it is an accreditation-based program created by the UK government and backed by the industry in both the UK and Ireland, to show that basic cyber security measures have been put in place that will block most cyber attacks. It was designed as an affordable alternative to ISO27001, which may be financially out-of-reach for many small/medium enterprises, and is a requirement for any businesses that deal with the UK government. So, it may have come as a surprise to many to find out that the IASME Consortium, one of six accrediting bodies in the UK, has suffered a data breach which exposed the company names and email addresses of their applicants. While no other information such as these companies’ security configurations were leaked, the breach could well open the exposed companies to phishing attacks from cyber criminals.
A list of Cyber Essentials applicants, including their company names and corporate email addresses, may have been leaked to hackers.
The Information Commissioner’s Office in the UK has issued a statement that organisations who train their staff in data security will be less likely to receive a fine or monetary penalty. The ICO recommends that at least 80% of an organisation’s staff are trained on how to handle sensitive data and keep it secure from data breaches, with a spokeswoman stating that “reasonable steps” must be taken to secure data, with “full account of the facts” taken into consideration in the event of a data breach being discovered.