Uber’s hack a masterclass in what not to do

November 22, 2017

The fallout from Uber’s hack and subsequent attempted coverup is a lesson for organisations in how not to respond to a data breach, security researchers say.

The ride sharing company said today that it had paid hackers $US100,000 in an effort to conceal a data breach affecting 57 million accounts one year ago, leading to two firings at the US company. In addition to the names, emails and phone numbers of millions of riders, about 600,000 drivers’ license numbers were accessed, Uber said.

“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them. Until we complete that process we aren’t in a position to get into any more details,” an Uber Australia spokesman said.

Michael Sutton, chief information security officer at security firm Zscaler, told The Australian that in 2017, companies are judged more on the breach response than the breach itself.

“Yet again we’re receiving a lesson in how not to respond,” Mr Sutton said.

“Uber undoubtedly violated numerous US and international data breach disclosure laws by failing to inform drivers and users that their personal information had been compromised,” he added.

“There’s also an ethical concern, Uber, a company that had already exhibited questionable judgment on a number of occasions, chose to go to significant lengths to bury a data breach rather than protect their customers and drivers.”

According to Mr Sutton, paying the hackers won’t necessarily protect Uber customers and drivers.

“The criminals could well have kept or sold the data even after the payment was received, this response goes well beyond unprofessional behaviour all the way to gross negligence and will no doubt come with legal consequences.” Itay Glick, chief executive of cyber security firm Votiro agreed, and said what’s frustrating about the story is it’s not an example of a company being overwhelmed by a sophisticated hack. The reports indicate this was a relatively simple heist.

“This falls well short of what companies should be doing, which is notifying users at the soonest possible moment, then providing them with personal identifiable information insurance for a year.”

Amit Yoran, chairman and CEO of software firm Tenable, said the Uber hack was just the latest example of a widespread culture of lackadaisical cyber practices and a lack of executive accountability.

“Executives and organisations must be held accountable for both exercising a reasonable standard of care to protect their systems and their data and for discovering and disclosing breaches in a timely manner,” he said.

However, not everyone was so scathing of Uber CEO Dara Khosrowshahi, who has only been in the top job for a few months. Mr Khosrowshahi took the CEO role after controversial company founder Travis Kalanick was ousted earlier this year. Mr Kalnick was CEO in 2016 when the hack occurred.

“None of this should have happened, and I will not make excuses for it, Mr Khosrowshahi said in a statement.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Carlo Minassian, founder of security startup LMNTRIX, said the new CEO’s actions were refreshing and aligned to how a responsible company should behave.

“Covering up breaches is a common instinct across many organisations once they realise they simply haven’t done enough to keep their customer data secure,” he said.

“It boils down to human nature and their choices as individuals as opposed to a wider company decision, in this case their CSO knew the last thing Uber needed at that point was more controversy, so he tried to do what he felt was best for the company and ultimately paid the price for it with his job.”

Read more here.