Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

#UberFail

Uber headquarters, San Francisco – Nicolas McComber / Getty Images

The recent headlines about Uber’s 2016 data breach describe yet another cyber event that left millions compromised and rightfully angry. But yet again, people by and large are not angry that the breach happened, or even necessarily about the large size of the breach, which involved approximately 57 million Uber riders and drivers. Mostly, people seem to be angry about the way this breach was handled.

For starters, isn’t it odd that this breach occurred in October 2016 and we’re only hearing about it in the past month or two? In clear violation of data breach disclosure laws, Uber attempted to cover up the breach by paying the cybercriminals to delete the stolen data and keep quiet. Now, like those compromised in the Equifax breach, the 57 million victims will have to remain ever-vigilant about the possible consequences. Everything from credit card fraud to identity theft are possibilities for the individuals whose data was compromised. Some say the information obtained from the breach has now been posted on the Dark Web. Uber’s attempted cover-up is one of many missteps in its handling of this incident.

But it wasn’t the first.

How not to do security

What made this particular attack possible was the fact that Uber required only one set of credentials to access a huge store of account data. This means that once the hackers had this single set of credentials, they were able to access a vast amount of personal information very simply. Cybersecurity experts agree that this was not a sophisticated attack. This kind of access is akin to using one password and username for every single one of your accounts. If someone obtained this bit of information, they could access every account you hold. Uber’s pre-existing security flaws and clear oversights in its protocols made it entirely too easy for the hackers.

Once the breach occurred, it is speculated that had the proper controls been implemented, Uber may have been able to mitigate the damage. But it appears that Uber did not implement any kind of security safeguard designed to alert the organization to unauthorized data access. In addition to storing the personal information poorly, storing too much information in one place, and lacking proper access controls, Uber was also unable to monitor the illicit access in any efficient and timely way.

Ultimately, both the reactive and proactive elements of a strong cybersecurity incident response strategy were absent here. Uber’s approach to this breach—from lacking the basic controls necessary for such large amounts of data to the attempted silencing of the hackers—demonstrates the grim reality that even the largest organizations can be entirely unprepared for a data breach when it happens. And in a technological age where it’s only a matter of time until a breach occurs, it is shocking to realize that even companies that have a great deal to lose fail to prioritize security.

Learning a lesson

While the damage from this breach is substantial, it can serve as an example for organizations, both large and small. Many cybersecurity experts are hoping that like other large-scale data breaches, Uber’s experience may serve as an example that spurs internal change and reconsideration of best practices at other companies. Think through your organization’s current security posture and the importance that is placed on prioritizing security. Consider the role of regular security assessments in establishing a baseline, ensuring the capabilities of your organization’s controls, and identifying and remediating vulnerabilities. An especially important step is to review your organization’s reactive measures and determine what the first remediation steps would be in the event of a breach.

In my last article, I discussed ransomware and whether or not individuals should make payments to hackers in an effort to recover their data.

As with any cybersecurity strategy, the key here is preparation. The best security plans take into account the need for proactive diligence in minimizing vulnerabilities and staying apprised of best practices, but they also incorporate reactive strategies for when our best laid plans can’t hold up to external (or internal) cyber threats. My best advice, as I noted last month, is to be prepared in the event of a ransomware attack and make sure that all of your information is not stored in one place.

Uber’s attempt to cover up its breach by paying the responsible cybercriminals was ill-advised for a number of reasons, one being that paying a cybercriminal often makes the problem much worse. Once a cybercriminal knows that a victim is willing to pay, they will often come back with subsequent attacks and demands for larger amounts of money. Part of an organization’s reactive incident response strategy should consist of steps to address the public at the appropriate time. While some organizations may feel pressure to immediately inform the public once they suspect a breach has occurred, it is advisable to confirm a data breach through digital forensic examination prior to making any official statements. Even if an organization has strong reason to believe, for instance, that a ransomware attack has occurred, it is possible that data was not breached. Gathering as much information and confirming the validity of a breach are critical; having to revise your public statements later makes it even harder to keep an organization’s reputation as unsullied as possible.

Uber’s series of security mistakes leading up to its breach was egregious. But its handling of the breach after the fact is the most problematic element of its approach. Its lack of transparency and openness with riders and drivers alike has made an already bad situation much, much worse. The silver lining is that the rest of us can take this situation as a reminder to reassess our own security practices and our commitment to establishing cultures of security within our own organizations.

 

MARK LANTERMAN is the chief technology officer of Computer Forensic Services. A former member of the U. S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security and forensic experience and has testified in over 2,000 cases.

Leave a Reply

Articles by Issue

Articles by Subject