In 2016, Uber suffered a data breach that exposed the personal information (names, email addresses, and phone numbers) of 57 million users. In the same breach, some 600,000 driver’s license numbers of Uber drivers were exposed.
So, What Was The Response?
The Federal government and state governments have laws protecting data privacy. Most of them require rapid reporting of data breaches to both the governments and the individuals whose data was exposed. Instead of following the laws, Uber decided to bury the bodies. With a careless indifference toward the rules and regulations that Uber has shown previously, the company got caught in a most unusual manner this time.
In this data breach, hackers first proved to Uber that they had stolen their data, then they demanded $100,000 not to reveal it. That’s a new twist for cyber-thieves.
How Did The Hackers Get The Data?
GitHub is a site where programmers and systems architects publish code and other information, both to store it privately and to show it off to others. The hackers got into the private side of Github and obtained user credentials of the Uber development team. Once they had those, they had free run of Uber’s systems.
What Did Uber Do?
Rather than reporting the breach as required, Uber’s Chief of Security paid the bounty of $100,000, got the hackers to sign a non-disclosure agreement, and disguised the $100,000 payout as a bug bounty on Uber’s internal records. The affected individuals were not contacted. The whole incident was covered up (hopefully).
Uber was already under investigation by the Federal Trade Commission (FTC) for failure to protect consumer information. In the course of that investigation, the 2016 hack was uncovered. The first settlement where Uber confessed to failing to protect customer and driver information was dated August 2017.
Then in November, Uber’s new CEO disclosed the massive breach. At that time, Uber had agreed to pay reparations to exposed individuals and various states to the tune of $148 million. One state attorney general called Uber’s behavior “Just inexcusable.”
Uber agreed to follow relevant laws in the future and hired outside counsel and an outside data firm to assess its security practices and safety measures. The results of those efforts have not been disclosed.
It was also learned that Uber paid the hackers to delete their copy of the data. That potentially violates a law that forbids companies from destroying any evidence in cases of cybercrime. Uber eventually fired their chief of security and several others.
It is the nature of the beast that Uber could not, in fact, confirm that the hackers had deleted every copy of the data. They could have, for example, made another copy and sold it on the Dark Web. Cyber Thieves are not known for their honesty. So, Uber’s efforts to conceal the breach and repair the damages may have been overshadowed from the start.
What Are The Lessons We Can All Learn From This?
Ever since the resignation of Richard Nixon in 1974, the phrase, “It’s not the crime, it’s the cover-up” has been well-known and understood.
The home décor and cooking guru Martha Stewart was convicted and imprisoned, not for a stock transaction that was, in fact, legal, but for lying to the FBI about it. Aside from their general legal and public relations futility, cover-ups usually do not succeed. Somebody leaks, or (as happened in this case), law enforcement stumbles across the cover-up while investigating something else.
When an incident like this happens, companies need to proceed on the assumption that the cover-up will be, at best, a temporary patch on a continuing problem.
What else can be learned from this?
Another lesson is that things that are supposed to remain private may not. The hackers were able to penetrate a supposedly private area of Github. In addition, the database they stole was on a third-party server, not one directly managed by Uber.
Even though the credentials stolen from GitHub were valid for the third-party server, had something like two-factor authentication been in place, the hackers would not have been able to access the server even though they had the proper credentials. There is more than enough blame to go around here. And, of course, the data on the third-party server was not encrypted.
Funding Hackers Is Not A Good Idea
In addition to everything else that was wrong in Uber’s response, the company wound up, in effect, rewarding the hackers with additional funding, enabling them to hack even more victims. Cybersecurity experts agree that funding hackers, no matter how desperate the situation seems, is never a good idea.
Uber’s response here can be compared to the similar reactions of Experian, a credit reporting agency, to a hack of its database that exposed the data of several hundred million users. First, it concealed the breach, then it denied it every happened, then Experian confessed that it did happen. Finally, they tried to monetize the breach by creating and advertising several “security” products to consumers.
Every move was deceptive and demonstrated just how little Experian cared about the privacy of its users. The lesson from Uber and Experian for the general business community is simple: “Don’t handle breaches the way we handled ours.”