Sophos Cloud Optix
News has surfaced today claiming that oft-controversial taxi ride-sharing company Uber suffered a massive data breach in 2016.
According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers $100,000 to “delete the data [and] keep quiet”.
Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout.
Bloomberg quotes Uber as follows:
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world… The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken.
It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.
From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.
If this sounds terribly familiar, Uber suffered a breach with a similar cause just over three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.
Reliable details of what data was stolen this time round are not yet available.
As mentioned above, driving licence details were acquired by the hackers, meaning that Uber certainly ought to have declared the breach promptly, because sensitive data was involved.
Uber’s claim that customer details such as credit card data and social security numbers were not involved in the heist is a slight silver lining, but how many customers are willing to believe Uber at this point is anybody’s guess.
What to do?
There’s so much still untold in this story that the only sensible recommendation we can make to Uber customers is: “Keep your eyes open for what comes out next.”
If you’re a programmer, repeat these words to anyone who will listen: “GitHub is for code, not for security keys!”
As our friend and colleague Chester Wisniwewski bluntly put it:
Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren’t caught while actively involved in a cover-up as well. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices. Sadly, this is common more often than not in “agile” development environments, especially in high-growth technology startups.
Oh, and if you do suffer a breach, do the right thing: report it quickly, not just because the law requires you to do so, but because it’s the decent thing to do.
And, for goodness sake, put something on your website to inform customers what you know so far; what additional information you are trying to unccover; and when you expect to provide the next update.
At the time of writing [2017-11-22T01:00Z], Uber’s website was still leading with the strapline “Get there – your day belongs to you”, and urging you sign up to drive for the company.
Update. Uber has published a help page about this breach. [2017-11-22T01:40Z]
I would say I can’t believe it, except I can. Easily. That company has cut corners and edged around the law everywhere it’s been. But, cynical as I am about them, I would never have guessed that they would pay off the hackers to keep it quiet.
By the way, you misspelled “over” as “ocer” about a third of the way into the article.
Fixed the typo, thanks!
Lol paid them $100k
Coz, you know, the bad guys will totally be honest to their word. They’ll take the money and delete the data since you paid them.
I’m sure they won’t take your money and then sell the data on anyway to double their cash. It’s not like they are ‘bad guys’ is it?
FFS.
It’ll be interesting to see how the story unfolds – if the current Uber leadership can unfold it at this stage, that is. I suppose you could wrap the $100,000 up as a “bug bounty payout”, but that still leaves the issue of very conveniently deciding for yourself that it wasn’t necessary to report it.
It’s even worse than that: did they kill the data for the 110K? I doubt it. It was hush money, not a bug bounty, it seems to me.
The problem with Uber is that you can’t trust them to tell the truth. Was it a bribe, or hush money?
Since they paid the criminals, they should be charged with aiding and abetting! Or better yet…have all the C level people and board of directors information made public permanently.
Interesting that the CSO was sacked after this much time. I doubt that he was the one who signed the $100k check.