Data breach at Uber; what next?

Ride-hailing service Uber had suffered a massive cyberattack in October last year, which had probably sacrificed the confidential data of nearly 57 million customers and drivers, the company revealed in a recent statement.

However, Uber failed to disclose the hack for a long time, thereby raising many concerns globally.

Global probe

Stunned with this disclosure, global regulators from countries including US, UK, Australia and Singapore are probing this cyber attack and also the role of Uber in covering up this issue for such a long time.

There are reports that if Uber is found guilty on any account then it could be slapped hefty fines and has to face punishments in various market segments.

 Not a surprise

“News that the darling of the disruptive digital age, taxi app company Uber, was hacked in 2016 with statements confirming that 57 million customers and 600,000 drivers’ personal details were compromised and potentially stolen should not really come as a surprise,” said James Chappell, CTO and Co-Founder, Digital Shadows.

“While you could be surprised at such an effective architect of the digital world would not be fully prepared for such an event, it does show that even the most tech savvy businesses are open to the menace of data breaches and cyberattacks,” said Chappell.

Chappell added that we don’t yet know the full picture of what happened at Uber, but their statement says that hackers accessed a ‘private’ area of GitHub, a Web-based data hosting service used by the app developers.

This likely means one of two things

That the ‘private area’ should have been private, but was not for some reason or it could mean that ‘private area’ is behind the GitHub login pages and some sort of compromise of GitHub must have occurred, most likely by credential stuffing or keylogging.

But what is absolutely certain is that this sort of attack should have been spotted sooner and ideally before significant data had been extracted.  If basic login details were stolen, this is something Uber could have been monitoring for and prevented.

The storage of sensitive IT system logins should not have been in that website in the first place. It appears in Uber’s case they found out about it when the hackers came asking for money to delete the stolen data – $100,000 (£75,000). Of course, there is little honor amongst thieves and whether paying the ransom had the effect of deleting the data as expected, only time will tell. Security firms often advise not to pay ransoms, as organizations can make themselves a more attractive target should their willingness to pay emerge.

Legal and social obligations

“Uber had both the legal and social obligation to inform governments and customers of this attack, and the fact the company chose to pay hackers and hide the massive breach is shocking. Pretending that an attack hasn’t happened, or quietly paying attackers off only emboldens perpetrators further,” said Dan Sloshberg, cyber resilience expert, Mimecast.

“With the General Data Protection Regulation (GDPR) coming into effect in May 2018, businesses must report breaches within 72 hours or face crippling fines much bigger than what Uber paid to hackers. Businesses need to realize that the impact of breaches can be very serious – with knock-on effects on the organization itself, employees and customers,” stated Sloshberg.