News has surfaced today claiming that oft-controversial
taxi ride-sharing company Uber suffered a massive data breach in 2016.
According to Bloomberg, the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers $100,000 to “delete the data [and] keep quiet”.
Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout.
Bloomberg quotes Uber as follows:
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world… The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken.
It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.
From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.
If this sounds terribly familiar, Uber suffered a breach with a similar cause just over three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.
Reliable details of what data was stolen this time round are not yet available.
As mentioned above, driving licence details were acquired by the hackers, meaning that Uber certainly ought to have declared the breach promptly, because sensitive data was involved.
Uber’s claim that customer details such as credit card data and social security numbers were not involved in the heist is a slight silver lining, but how many customers are willing to believe Uber at this point is anybody’s guess.
What to do?
There’s so much still untold in this story that the only sensible recommendation we can make to Uber customers is: “Keep your eyes open for what comes out next.”
If you’re a programmer, repeat these words to anyone who will listen: “GitHub is for code, not for security keys!”
As our friend and colleague Chester Wisniwewski bluntly put it:
Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren’t caught while actively involved in a cover-up as well. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices. Sadly, this is common more often than not in “agile” development environments, especially in high-growth technology startups.
Oh, and if you do suffer a breach, do the right thing: report it quickly, not just because the law requires you to do so, but because it’s the decent thing to do.
And, for goodness sake, put something on your website to inform customers what you know so far; what additional information you are trying to unccover; and when you expect to provide the next update.
At the time of writing [2017-11-22T01:00Z], Uber’s website was still leading with the strapline “Get there – your day belongs to you”, and urging you sign up to drive for the company.
Update. Uber has published a help page about this breach. [2017-11-22T01:40Z]