Connect with us

News

Here is Sophos’ advice as report reveals Uber suffers massive data breach 

Published

on

massive data breach 

A report shows that Uber suffered a massive data breach in 2016. The Bloomberg report indicates the data of 57,000,000 drivers and customers was stolen, after which Uber not only kept the breach secret from the victims, but also paid the hackers $100,000 to “delete the data [and] keep quiet”.

Apparently, Uber’s security chief, Joe Sullivan, lured to Uber from Facebook in 2015, has been sacked in the fallout, according report.

Bloomberg quotes Uber as follows:

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world… The personal information of about 7 million drivers was accessed as well, including some 600,000 US driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken.

Going by a report by Nakedsecurity, It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is a place where you are supposed to store source code, not the keys to the castle! – where the hackers stumbled across them.

From there, the crooks were able to get into Uber servers hosted on Amazon, and from there to access the personal information involved in the breach.

If this sounds terribly familiar, Uber suffered a breach with a similar cause just over three years ago, an intrusion that was discovered in May 2014 but not disclosed until February 2015.

Reliable details of what data was stolen this time round are not yet available.

As mentioned above, driving licence details were acquired by the hackers, meaning that Uber certainly ought to have declared the breach promptly, because sensitive data was involved.

ALSO READ  $100m invested already in 2018 as Capital floods in for African fintech sector

Uber’s claim that customer details such as credit card data and social security numbers were not involved in the heist is a slight silver lining, but how many customers are willing to believe Uber at this point is anybody’s guess.

Advertisement

What to do?

There’s so much still untold in this story that the only sensible recommendation we can make to Uber customers is: “Keep your eyes open for what comes out next.”

If you’re a programmer, repeat these words to anyone who will listen: “GitHub is for code, not for security keys!”

As our friend and colleague Chester Wisniwewski bluntly put it:

Chester Wisniewski

Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren’t caught while actively involved in a cover-up as well. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement in Europe, this is just another careless development team with shared credentials and poor security practices. Sadly, this is common more often than not in “agile” development environments, especially in high-growth technology startups.

Commenting on the report, Sophos Principal Research Scientist Chester Wisniewski, believes,

“Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”

James Lyne

From his perspective, Sophos Cyber Security Advisor, James Lyne says:

ALSO READ   Uber Gives Back to Community via #Uber4Love CSR Drive

“Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. Not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”

For Uber customers and drivers, Sophos advises that they monitor their credit scores and keep their eyes peeled for additional information on what was stolen.

Advertisement
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Advertisement
Advertisement

Facebook