2017 has been a year of major data breaches across all sectors of business and around the globe. One of the latest involved the revelation that ride-sharing company Uber paid hackers $100,000 to cover up the loss of over 50 million records of customer personal data. How could the Uber breach been prevented?
Uber publicly admitted to suffering a data security incident on its blog on November 21, 2017. Bloomberg first publicly reported news of the hack, and announced in their story that two attackers accessed a private GitHub coding site used by Uber and found login credentials there for Uber’s Amazon Web Services (AWS) account. Uber developers had published code in GitHub that included credentials for Uber’s enterprise. The credentials provided attackers with privileged account access to Uber’s network. The attackers were able to download the impacted customer data directly from the AWS instance, and later to email Uber asking for payment. Uber paid the attackers $100,000 of BitCoin through HackerOne, a bug bounty site. Uber was able to identify the hacker through the payment process using HackerOne, and later to track down the attackers after making the payment and pushed them into signing non-disclosure agreements. The hacker signed an NDA and consented to destroy the stolen data. The attack was made public last week, more than a year after occurring.
The impacted data includes personal information of 57 million Uber users around the world, according to Uber’s blog entry published on the incident. The impact also included driver’s license numbers of 600,000 drivers in the United States. Uber announced that more sensitive information, including location data, credit card numbers, bank account numbers, social security numbers, and birth dates were not compromised.
Former CEO and co-founder Travis Kalanick learned of the breach in November 2016, one month after it occurred. However, he and his team chose to cover up any news of the hack, making payment through a bug bounty site and acting as if the breach was part of a bug bounty program. Uber’s new CEO Dara Khosrowshahi learned of the breach in September 2017, two weeks after taking over, and immediately ordered a full investigation. After the breach became public, the firm fired its chief security officer and one of his deputies for helping to cover-up the attack. Outgoing CSO Joe Sullivan was responsible for separate security issues related to data security disclosures and handling of consumer data. A recent board-ordered investigation into his operations by an outside law firm discovered the hack and failure to disclose.
One thing that new CEO Khosrowshahi did well after learning of the hack was to acquire outside help, contracting with third parties for legal and forensic support. Matt Olsen, former general counsel at the National Security Agency, will be reorganizing the company’s security team, while Mandiant conducts an independent investigation into the breach.
Uber’s payment to hackers has received mixed reviews by experts. Security expert Brian Krebs compared it to a ransomware payment. Others praised the company for paying to protect their customers’ data. It is the failure to disclose the hack to impacted customers and regulators that may be the worst part of the incident for Uber. In doing so, Uber violated breach disclosure laws in many states. In addition, Uber actively covered up the breach at a time when they were negotiating a settlement with the FTC over the previously mentioned consumer data handling issue, when Uber failed to disclose an unrelated data breach in 2014. As a result of this latest failure to disclose, Uber is now the target of at least 3 potential class actions lawsuits, at least 5 state attorney general investigations, and an inquiry by the FTC. International entities are investigating as well, with European data protection authorities beginning their investigation in late November. Congress is likely to get involved as well, calling senior Uber leadership into hearings to answer questions about the breach. A bill was introduced on November 30, the Data Security and Breach Notification Act, which would requires businesses to report data breaches within 30 days, and instituting a 5 year prison sentence for individuals who knowingly conceal a breach.
With Uber currently in the process of valuation for a major investment bid by SoftBank, and with plans to go public in 2018, it is likely that this hack and history of information security incidents will negatively impact the valuation of the company.
Several security best practices would have been effective in preventing Uber’s loss of customer data:
Uber attackers were able to gain access to both Uber’s GitHub and AWS instances remotely. While it was not announced how the attackers gained access to Uber’s GitHub, it likely involved compromise of legitimate Uber credentials that were then used to remotely log into the system. Implementing multifactor authentication would prevent a remote attacker from gaining access to targeted systems, even when legitimate credentials are compromised. A time-based soft token, hard token, SMS text message, or card-based token are all effective ways to secure remote logins that can help prevent remote attackers from gaining access to sensitive systems.
Attackers were able to use one set of administrator credentials found in GitHub to access Uber’s AWS environment and exfiltrate millions of records of sensitive data. One strategy used to prevent this sort of breach is to restrict privileges for user and administrator accounts. By implementing the principle of least privilege, an administrator would not have rights to access sensitive production databases within AWS and access the development environment in GitHub. By restricting privileges to only what is needed, the impact of one lost account is minimized.
Another way to effectively combat attackers is to conduct a cybersecurity threat assessment. Companies can review their assets and top risks to determine the areas in need of additional security controls. For Uber, this might have been publicly facing logins for GitHub and AWS and repositories of sensitive data within AWS, both of which would have benefited from additional access control measures.
Uber did not gain knowledge of the data breach until the attacker contacted them via email to demand payment. Cloud hosting services, maintained off-premises, are often neglected by traditional logging and monitoring controls. Cloud services, especially those hosting sensitive data, are in need of effective monitoring to detect any unauthorized access to sensitive data. If such monitoring was in place, Uber could have detected the access and exfiltration of large amounts of data off of its network.
Risk-based security is the most effective way for companies to guide their investment in security. By conducting an assessment to determine areas of risk, businesses can direct investment and effort to the security controls that will provide the largest risk reduction. NIST, CIS/SANS 20 or ISO 27001 all provide effective control-sets that can be used in this process.
Uber was lacking several foundational security controls that could have prevented the loss of 57 million customer records. Remote access and privileged accounts are two top attacker targets and threat vectors that are in need of additional security controls. While Uber’s payment to the attackers may have prevented the customer data from wider release, their failure to disclose the attack for over one year will likely have legal, reputational, and financial consequences for the company.