Uber hack: The IT security breach cover up that compromised millions of customers' data

The growing cyber security threat to businesses across the globe

This latest hack just proves that there are so many elements of IT security to consider when it comes to ensuring a safe environment for your sensitive company data.

The ways in which hackers can steal your data is vast, from a Ransomware attack (like WannaCry & Petya), employees taking unencrypted data off-site (the Heathrow USB data breach), cyber criminals hacking into unpatched systems (the Cash Converters hack) and this latest hack on Uber – stolen customer and driver information.

How did hackers gain access to Uber’s customer data?

Two unidentified hackers accessed a closed GitHub coding site that Uber’s IT engineers used. The hackers were then able to use the login credentials they obtained from GitHub to gain access to information within Uber’s Amazon Web Services account. This account was used by Uber’s IT team to manage computing actions. Finally, through this the hackers uncovered an archive of rider (customer) and driver data. From here, the hackers then emailed Uber demanding money for their find.

The £75,000 gamble that didn’t pay off

The hackers are reported to have gained access to the names, email addresses and the phone numbers of Uber customers and the licence plate details and names of the Uber drivers. With a reported 40 million active users it would appear Uber were in quite a sticky spot.

It’s reported that Uber handed over £75,000 to the two hackers in exchange for them deleting the data and keeping the attack under wraps. Paying these hackers is a bad call for many reasons – I’ll focus on only a couple. The first is that there is unlikely to be any real guarantee that the data would be deleted (these hackers are criminals, after all). There’s also no guarantee that the hackers didn’t glean further information from this breach; another request for payment could be sitting in the wings.

In addition to these reasons, experts advise that payment of any kind made to cyber criminals, whether it be a Ransomware attack data breach or any other form of cyber-ransom, should not be made. By paying cyber criminals you are not only funding and promoting further cyber-attacks, but there is never a real guarantee that they will do as they say.

It’s reported that the Chief Security Officer Joe Sullivan was fired for paying the hackers and then concealing the attack.

Uber’s Chief Executive Dara Khosrowshahi commented:

“None of this should have happened, and I will not make excuses for it.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

What could happen to Uber under GDPR?

Uber is an American company, however that fact wouldn’t make them exempt under the General Data Protection Regulation (GDPR) which comes into force in May 2018. Uber holds information about European citizens, meaning the company would be subject to GDPR regulations.

Uber would be facing some significant fines. They would likely have had to pay a fine of 4% of its global annual revenue or £17.75m, a Cyber Law Barrister has said.

Dean Armstrong, Cyber Law Barrister at Setfords Solicitors said. “as Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations, it would likely be in the tens of millions.”

Its first mistake was not reporting the data breach. The Information Commissioner’s Office (ICO) advises this as a first step for companies who are aware of a data breach and understand the essential facts, this notification should take place within 72 hours of understanding the basic facts of the breach.

Additionally, as Uber covered up the breach they weren’t in a position to notify those who could have been affected, meaning their customers could have been at risk without knowing – a big no-no from the ICO and a black mark against the transparency of your company through your customers’ eyes.

The ICO is looking for companies who are putting measures in place to secure their Personally Identifiable Information (PII). Had Uber encrypted their data and put measures in place to block unauthorised access this hack, which actually meant it wouldn’t have happened in the first place, this would have been noted by the ICO.

Unencrypted data is like an open door to cyber criminals

Encrypting your organisation’s data means that even if hackers gain access to your data they will not be able to read or decode it without an encryption key. So, in the case of an employee moving data to the cloud or to other devices, encryption would mean any unauthorised access wouldn’t put your data in jeopardy.

Had Uber’s data been encrypted there would have been no cause for ransom as the hackers wouldn’t have been able to read the information freely.

Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was “unforgivable”.

How to protect your business against a data breach

Encrypt your data: IT security Sophos SafeGuard Encryption.

Patch your software and systems. TSG’s Systemcare does this automatically to keep you protected.

Train your employees on IT security. Sophos Phish Threat allows you to simulate email phishing attacks and train your staff simultaneously.