Uber hack netted 57m records
22 November 2017 | 0
The ride hailing company Uber has revealed that it suffered a major data breach in 2016, that saw as many as 57 million user records, and 7 million diver records compromised.
According to a blog post from the CEO Dara Khosrowshahi, “in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
It is understood that Uber developers mistakenly uploaded access credentials to the source repository GitHub, where hackers came across them.
These credentials gave access to Amazon’s S3 service where Uber had a significant hosting footprint, from which the hackers were able to access and extract the records.
However, the incident, once discovered, then developed in an odd direction.
“We took immediate steps to secure the data and shut down further unauthorized access by the individuals,” wrote Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Bloomberg is reporting that the term “obtained assurances” actually means that Uber paid a ransom of $100,000 to the hackers in return for the data being destroyed.
Khosrowshahi said in the blog that “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information.”
The whole incident reflects badly, as not only did this take place almost a year ago, but because it was triggered by lost credentials, there was no security breach as such, with either the Amazon or the Uber systems and infrastructure, as the credentials were valid, but in the wrong hands.
Added to this is the fact that it appears regulators were not informed, and the incident response falls far short of what is considered best practice.
Responding to the CEO’s blog post Dermot Williams, managing director, Threatscape said: “Khosrowshahi is quick to point out that the incident ‘did not breach our corporate systems or infrastructure’ – but this is misleading as online companies rarely own the systems they use to store and process data, instead renting capacity from cloud providers such as Amazon, Microsoft and Google.”
“A key aspect of the cloud era is that while a company like Uber may not be responsible for the operation of the third-party cloud services it uses, it is still very much accountable for the security of customer data stored there—including ensuring its personnel carefully guard the passwords for accessing that data. In this respect, Uber dropped the ball,” said Williams.
For Irish Uber customers Williams advises: “Make sure you’re not using the same password for Uber as you’re using for other web sites or online services, and if you are you need to change these as a matter of urgency. Also while Uber do not believe customer credit card information was stolen, it always prudent to monitor your statements for any unauthorised transactions”
Chester Wisniewski, security expert and blogger for Sophos’ Naked Security, said “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories.”
“I would say it feels like I have watched this movie before,” said Wisniewski , “but usually organisations aren’t caught while actively involved in a cover-up as well. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices. Sadly, this is common more often than not in ‘agile’ development environments, especially in high-growth technology start-ups.”