Uber is back in the hot water again after it has revealed that over 57 million records were exposed in a 2016 data breach, which it subsequently covered up. This news comes not long after Uber ousted founder and CEO Travis Kalanick, who was suceeded in August by Dara Khosrowshahi. Kalanick was forced out of his own company due to a litany of scandals, and now Khosrowshahi is keen to do things the right way – hence the fresh statement declaring the breach. However, this has put Uber into a very troubling situation as not only do they face legal action for covering up a data breach, but it has also revealed an incredibly poor security culture within the company.
Uber will already be subject to regular external data audits for the next 20 years due to a previous, much smaller data breach
This latest data breach has put Uber directly in the firing line of the US Federal Trade Commission, who are responsible for prosecuting companies who engage in unfair or deceptive practices. A spokesperson for the FTC stated this week, “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised”. In addition to the FTC, Uber is so far also facing investigation from data protection authorities in the UK, Australia and the Philippines.
The breach itself contained 57 million customer records, as well as 600,000 driver records. While the customer records are believed to contain names, email addresses and phone number, it is believed that the drivers’ breached information also contained their drivers license numbers. Previously, Uber suffered a data breach in 2014 which resulted in 100,000 driver details being compromised. The 2014 breach was considerably smaller, and the FTC handed down a $20,000 fine and Uber had to agree to 20 years of external data audits.
Worse still, both data breaches happened due to the same security flaws in how Uber operates. Software engineers working for the company used Github, an online platform for developers, to work on code for the app. In 2014, hackers discovered, in their public-facing Github account, a key to access Uber’s Amazon S3 Database. This allowed them to log into their cloud servers and access the data. In 2016, this incident was repeated almost like-for-like. Yet again, a key to access their Amazon Web Services was left exposed in their Github account, and once the hackers found it, they were able to access the huge volume of records.
It is mandatory in many jurisdictions around the world that when a company suffers a data breach, they must notify the relevant data protection authorities and also the affected parties. This is the case in 48/50 states in the US, as well as most European countries (which will be consolidated further to 72 hours under the upcoming GDPR) and other countries where Uber operates. However, when this breach occurred, instead of facing up to their mistakes and handling the incident in a legal manner, Uber decided to pay off the criminals instead. Disguised as a ‘bug bounty’, Uber paid out $100,000 to the hackers and “obtained assurances that the downloaded data had been destroyed”. That’s a big bet on the reliability of criminals’ words. In these days, people can hardly trust legitimate companies, let alone shady cyber criminals.
Needless to say, this was a huge can of worms for new CEO Dara Khosrowshahi to deal with. In a statement this week, Khosrowshahi maintained that he was committed to learning from Uber’s mistakes and changing how they do business. He ensured authorities that “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded”. Conversely, his predecessor Travis Kalanick was alleged to have known about the breach at the time and was complicit in the decision to hide it from drivers, customers and data protection authorities alike. Uber’s Chief Security Officer, Joe Sullivan, has since been sacked for his role in handling the breach last year.
There are a multitude of lessons that businesses could learn from Uber and their latest shambles, but there are two in particular that stand out here. The first is that should a data breach occur, it is imperative that the relevant authorities are contacted immediately. Failure to do so consistently leads to increased fines and significant loss in brand reputation and trust factor in the company. Secondly, cyber security is not just an issue for the IT department, it affects every single employee and creating a culture of security is hugely important. In Uber’s case, they should have seen the warning signs in 2014 about how lax their engineers were with such crucial data. The fact that the same attack vector was exploited twice speaks volumes about how seriously the company takes its security and its user data.
We would strongly advise any business to train their users in cyber security awareness and keep them up to date with threats that their company may face. In addition, we also strongly advise that businesses have a thorough plan ready for dealing with a breach, from having a procedure in place to notify authorities, to having strong backups to restore any data that may have been lost.
Don’t pull an Uber.