This month is full of security and data breach surprises, apart from Imgur’s case in which the company realized that it was hacked three years ago, Uber’s case will perplex you. Around October 2017, hackers attacked Uber and got access to data that can further compromise the security of affected victims. Most of the accessed data contained personal information identifiers. The magnitude is about 57 million records of customers and driver’s data.
Uber told Bloomberg that 50 million records of that data included phone numbers, real names and email address. The other 7 million included driver’s records including some other six hundred thousand of US driver’s license numbers. In the UK, the breach affected about2.7 million British riders and drivers. But according to Uber, the British figure is an approximate and not accurate and definitive as the app does not specify where the users live. On the bright side, other information such as credit card information, social security numbers, and the trip location was not taken. All this info was made public after Uber investors ousted its Chief security officer together with one of his deputies who were responsible for keeping the hack under the radar with methods which included paying $100,000 to the attackers. This incident occurred when Uber was being investigated by US Federal Trade Commission regulators concerning claims of privacy violations. Uber declined to reveal the identity of the attackers but believes the stolen info was never used.
Dara Khosrowshahi, the current Chief Executive officer who took office in September, said in an emailed statement that, “None of this should have happened, and I will not make excuses for it,” Dara further added that, “We are changing the way we do business.” After the disclosure, an investigation was launched into the attack, and a customer seeking class-action status has sued Uber for negligence over the breach.
Timeline
Travis Kalanick, the former CEO and Ubers co-founder knew about the hack a month after it happened. At this time, Joe Sullivan was the security Chief officer and was responsible for the actions of responding to the hack. It was his actions that led to the hack being concealed. This was revealed by an outside firm which was commissioned to investigate the activities of Joe Sullivan’s security team.
Here’s a nutshell on how the hack happened according to the company. It all started when two hackers got access to the company’s software engineers private GitHub coding site. They then used credentials from the site to login into the companies Amazon Web Services (AWS) account that’s responsible for handling the company’s computing tasks. Its then from this AWS account that the hackers discovered an archive that contained the customers and driver’s information. The hackers then asked money from Uber. “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Dara Khosrowshahi. Dora further added, “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” But according to the federal laws, it’s an obligation to report when customers information has been compromised, but Uber failed to do so. This is not something new to Uber as it has a reputation for not working in accordance with the Laws in areas it has established itself since its founding.
Law trails
Uber now faces at least five criminal probes in the US into possible questionable pricing schemes, unauthorized software, theft of competitor’s intellectual properties and even possible bribes. There is also a dozen of civil lawsuits which the company is facing. In the UK, regulators such as the National Crime agency is looking into the magnitude of the breach. Previously, London had taken steps to ban Uber and withdraw its licensing due to their reckless behavior. Another reason is that it wanted Uber to explain the use of its internal software known as Greyball. It’s this software that Uber used in the US to sidestep regulators and other law enforcers ass it blocked and monitored regulatory bodies from accessing its app. Earlier this year, it was also reported that the DoJ was investigating Uber’s use of Greyball. In 2014, a data breach had also occurred, but Uber didn’t promptly report it. This earned them a $20,000 fine.
What next?
In an email, Khosrowshahi stated, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” This statement is a clear indication that Uber wants to be clean in its doing. To demonstrate that, Uber has made several changes to its company structures – removing people who were supposed to report the data breach, but they didn’t. To restructure the security team and to make sure their security is up to date, the company has hired the former general counsel of the NSA and director of the National Counterterrorism Center Matt Olsen as an adviser. Uber has also hired a reputable cybersecurity firm to investigate the attack.
The current CEO said that in order to set course for the future, they would have to be transparent, honest and also work hard to repair the past mistake. It’s through this that Uber will earn its trust and be the company that every customer, employee, and partner would be proud of. Uber also said it would provide free credit protection, monitoring and identity theft protection for drivers whose licenses were compromised.