Uber recently reported that Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc. after gaining access to data stores back in October 2016. The stolen data included names, email addresses, mobile phone numbers and license plate numbers.
Uber then paid the hackers $100,000 to destroy the data. The company did not tell regulators or users that their information had been stolen. Uber failed to report the hack of driver’s license information. Until now, Uber has not yet commented on how the company can be sure that the hackers did in fact destroy all or any of the data.
“None of this should have happened, and I will not make excuses for it,” said Dara Khosrowshahi, CEO Uber “We are changing the way we do business.”
But let’s not talk about what Uber did wrong by neglecting to inform the public about the hack according to laws like the EU’s GDPR. Let’s talk about what we can learn from it.
How the breach went down
First of all – let’s take a look at how the data breach went down:
According to Bloomberg, two attackers got access to a private GitHub coding site, a platform for collaborating on development projects, which is used by Uber software engineers. Even if we don’t know how their private account was compromised, it most likely involved some degree of carelessness.
On this GitHub site, they found login credentials to company data stores hosted by Amazon Web Services that handled computing tasks for Uber. This is where the hackers discovered an archive with rider and driver information.
What can we learn from the Uber breach?
“At the time of the incident, we took immediate steps […] to restrict access to and strengthen controls on our cloud-based storage accounts” said Khosrowshahi.
Interestingly, this is not the first time that hackers have gained access to Uber’s network this way:
As early as in 2014, hackers got hold of the data of 50,000 Uber drivers by using a login key they found in a code publicly posted on GitHub by Uber developers.
DJI, a Chinese drone manufacturer, recently made a similar mistake by posting code publicly on GitHub, including private keys to their Amazon Web Services cloud. And if we look at the numbers: in the past few years, hackers have managed to successfully infiltrate the data stores of many big companies, such as Yahoo, Myspace, Target, Anthem and Equifax.
Do companies have to strengthen their password policies and improve access control? Let’s have a show of hands: which Chief Security Officer is 100% sure that every employee is acting according to the recently enacted password policy?
Network protection and access control are very important but closing every gap in a complex enterprise network is simply not possible.
What if we have to take a different approach to data security? What if a company is able to say: “We have been hacked but no worries, the data the hackers got a hold of is completely useless!”
Yes, there are other ways to protect sensitive data.
comForte is offering one of the most powerful solutions to this problem.
