Just a few days before Thanksgiving, Uber CEO Dara Khosrowshahi announced that the globally-spanning personal transportation service had been the victim of a serious data breach. The attack occurred over a year ago in October 2016 under the previous CEO’s watch, though the company was not made fully aware of the incident until the following month. Details are still coming out, but it appears that two perpetrators somehow accessed a third-party cloud server and acquired the information of 600,000 Uber drivers and 57 million customers.
Khosrowshahi’s predecessor evidently decided to give into the demands of the hackers, and paid them US $100,000 with the promise that they would delete all of the data they had stolen. Khosrowshahi learned of the past breach some time before revealing it to the public, however, he claims he opted to investigate further and take steps to address it before making an announcement. Despite this assurance, the CEO was found to have already informed a potential investor about the attack before alerting everyone else, including authorities.
Uber has taken several steps to rectify the situation and regain the public’s trust, including terminating two employees (Chief Security Officer Joe Sullivan and lawyer Craig Clark) who were involved in the initial response to the breach. Additionally, they have notified regulatory agencies of the breach, brought on cybersecurity expert consultants, and have offered increased protection and monitoring efforts for the drivers targeted and their hacked accounts. They have also offered numerous apologies for the behavior of the company immediately after the incident, though not all find this sufficient. U.S. lawmakers from both sides of the aisle have called on Uber to provide more details about the breach and the company’s management of it.
Both Democrats and Republicans have sent letters to Uber condemning the initial response and demanding more detailed answers. There is a very real possibility that the company may have violated multiple state and federal laws by paying the hackers, requesting the hackers destroy the evidence, electing not to inform the public or regulators, and informing investors before anyone else.
Uber has experienced a similar situation before in 2014, when they experienced a previous breach through a cloud server on Github.com and failed to alert either the drivers affected or the authorities for almost six months. They were forced to pay a $20,000 fine for their negligence.
Though Uber is still giving assurances they have the situation under control and that the data has not been leaked, there are several reports which may indicate otherwise. The Guardian reported that several users received bills for rides in several Russian cities that they never took, while the Independent claims that customers of UberEATS all of sudden found similar charges on their accounts from the same areas.
People across Australia, the Philippines, the United Kingdom, the U.S., and many other countries have had their information exposed by the massive breach. A Cyber Intelligence firm, RepKnight, claims that they have previously found thousands of Uber employee emails posted on the dark web, and that these have been open for sale to hackers looking to make phishing attacks on the company’s software. Uber has become a tempting target for cybercriminals – they have access to personal and financial information of people across the world, they have proven to have relatively weak security for their size, and they have a history of not being forthcoming with authorities.
Between this incident or one of the many other recent data breaches where you may have to worry about your information being leaked into the dark web, as a business there is something else you should take away from this tale: protect customer data. No one wants to find out that the company with their credit card information was hacked. Attacks are made every day against organizations of all sizes, from small businesses to government institutions. Some cybercriminals might be relative amateurs, but others are longtime experts with refined techniques. Experiencing an attempted or successful hack is no longer a matter of if, but of when.
Not all of these breaches can be prevented with a technical security measure- sometimes the answer is as simple as being educated. Phishing attempts are a major cause of networks being compromised. SWK Network Services is here to not only manage your network, but can also provide training for employees to detect phishing attempts. We also have the ability to run regular scans of the dark web to see if you or your company has compromised credentials out there, and can actively monitor your information and keep you up to date on any sudden suspicious activity. If you are interested in learning more just give us a call.