Uber Covered Up Massive Hack in 2016 for More Than a Year
Uber said Tuesday that hackers accessed the personal data of 57 million of its users in a breach that had been covered up by the company for more than a year.
Stolen information included the names, email addresses and mobile phone numbers of customers around the world, while the names and driver’s license numbers of roughly 600,000 of its drivers in the United States were accessed.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber CEO Dara Khosrowshahi, wrote in a blog post Tuesday, adding that the incident did not breach Uber’s corporate systems or infrastructure.
According to a report from Bloomberg, attackers obtained credentials from a private GitHub site used by Uber’s software developers, which were used to access data stored on an Amazon Web Services (AWS) account.
Uber reportedly paid $100,000 to the hackers as a ransom payment in order to limit fallout from the breach. The company did not provide any details on such payment, but said “we subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Uber said that two employees “who led the response to the incident” are no longer with the company. While the company did not provide names, some reports indicate that Chief Security Officer Joe Sullivan has been let go. Uber hired Sullivan, Facebook’s former security chief, as its first ever Chief Security Officer in April 2015.
SecurityWeek has contacted Uber for comment on the ransom payment and Sullivan’s rumored departure.
“Today’s incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the control of security teams,” Kevin Bocek, chief security strategist for Venafi, told SecurityWeek. “Unfortunately, we frequently seen SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls,” Bocek added.
If the European Union’s General Data Protection Regulation (GDPR) had been in effect, Uber could have been on the hook for a fine of more than $260 million as a result of the breach. Fortunately, for Uber, (GDPR) goes into effect on May 25, 2018.
“One of the reasons often cited for why these massive data breaches keep happening is that the penalties aren’t incentivizing companies to adequately protect their data.” Ken Spinner, VP of Field Engineering at Varonis, told SecurityWeek. “When GDPR kicks in next May, companies that handle EU citizen data will be faced with much stiffer penalties and a 72-hour disclosure window.”
“The Uber breach is staggering not so much in its magnitude, but more so in the extensive efforts the company seems to have made in concealing the breach in violation of their customers’ trust and perhaps laws that require disclosure,” John Gunn, Chief Marketing Officer at Vasco Data Security, told SecurityWeek.
Uber does run a bug bounty program to encourage security researchers to responsibly disclose vulnerabilities found in across its services.
In June 2016, Researchers from Portugal-based security consulting and audit firm Integrity identified more than a dozen vulnerabilities in Uber websites and services, including issues that could have been exploited to access driver and passenger information.
In 2015, Uber disclosed two security incidents: one where an unauthorized party gained access to the driver’s license numbers of roughly 50,000 drivers, and a software bug that exposed the personal details of hundreds of U.S. drivers.
*Updated with amount of possible fine if GDPR were in effect