Incident Of The Week: Uber’s Internal Handling Of Pervasive Hack

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine the far-reaching Uber breach, which came to light on Tuesday and reportedly found the ride-sharing company brushing a massive data breach under the rug.

The breach underscores the importance of network security, continued awareness and preparation at the enterprise level.

The reported attack occurred in October 2016, as the billion-dollar-company dealt with U.S. regulators over fallout from previous data disclosure practices.

Amid the Uber Technologies, Inc. breach, 50 million users’ had their names, email addresses and phone numbers exposed. Information on seven million drivers was also accessed, including 600,000 U.S. driver’s license numbers, according to Bloomberg.

The company says no Social Security or credit card numbers were stolen, along with trip location information. But from an enterprise standpoint, the most startling findings in this case came internally, with the way Uber handled the disclosure (hint: it waited over a year).

The company allegedly paid $100,000 to the hackers to delete data they had stolen and to remain quiet about the breach.

See Related: Digitally Crippled: Ransomware Shuts Down City Government

Chief Executive Officer Dara Khosrowshahi, who began in September, said that the company will not make excuses for what occurred, and is changing the way it conducts business. Shortly after the announcement on Tuesday, New York Attorney General Eric Schneiderman launched an investigation.

Although it is not the first time a top-tier company has been breached, Uber’s security team took dramatic steps to keep it under wraps.

Uber had already been caught in a wave of controversy before Khosrowshahi took the helm, including the departure of co-founder Travis Kalanick over workplace criticisms. Yet Kalanick reportedly learned of the breach one month after it occurred. Uber decided to go ahead and settle its respective disputes with the New York attorney general and Federal Trade Commission (FTC).

Joe Sullivan, the outgoing security chief, was responsible for the company’s response to the hack, which was only discovered after a board investigation conducted by an outside firm.

Hackers tapped into a GitHub coding site used by Uber’s software engineers, stole login credentials and tapped into their Amazon Web Services data. There, they stumbled upon a cache of sensitive data.

Current legislation – at different levels – mandates that companies disclose information about these sorts of mega-breaches. Uber did not.

See Related: Data Breaches Surge 164%, Cost Enterprises $52B In 2017

Khosrowshahi said the company took measures internally to solve the problem and improve its cloud-based storage practices, but did not come forward with the incident report.

Uber was caught up in multiple suits at the time of the breach, and settled with the FTC over a privacy issue without informing them of the 2016 event.

Sullivan, the security chief, and a senior lawyer reporting to him, Craig Clark, were asked to resign.

Matt Olsen, former general counsel for the National Security Agency (NSA) and director of the National Counterterrorism Center, has been hired by Uber as an adviser, to in part rebuild the security teams. Mandiant, a cyber security firm owned by FireEye Inc., has also been hired to investigate the breach.

For CISO onlookers, the recent Uber incident is a humbling reminder to: remain prepared for a breach, follow protocols to reduce impact and be transparent when it comes to sensitive data.

Visibility about security initiatives is a foundation of today’s business world. This is, perhaps, something that must be built upon as threats continue to multiply.