Founded by Garrett Camp in 2009, Uber has revolutionized the way we travel locally and has taken ridesharing to a whole new level. After spending $800 for a private driver on New Year’s Eve, Camp envisioned a car service made more affordable by allowing people to share both the ride and the cost. Uber has grown to provide operations in over 600 cities worldwide with riders taking 15 million trips every day.
In October 2016, attackers hacked into one of Uber’s data storage servers and stole millions of users’ personal information. The company was notified of the breach approximately one month later when Joe Sullivan, Uber’s chief security officer at the time, received an email from one of the attackers “John Doughs” that stated, “I have found a major vulnerability in Uber”. At the request of Rob Fletcher, Uber’s product security engineering manager, the attacker provided proof of the vulnerability by sharing a few lines of stolen data from the database. Through continued email exchanges between Fletcher and the attacker, Uber was able to ascertain exactly how the data had been breached. According to Jeremiah Grossman, chief of security strategy at SentinelOne, this was not a sophisticated attack. Like many organizations, Uber used Github private repository, a web-based platform that allows developers to collaborate and manage projects, primarily code. Some Uber employees had stored usernames, passwords, and keys within the code which is a dangerously common practice utilized by developers to allow fast, automated access to privileged data or services. Through this platform, the attackers were able to obtain credentials that allowed them privileged access to Uber’s Amazon Web Services (AWS) account. Uber admitted the Github was not protected with multifactor authentication, so experts presume the account was cracked using a brute-force attack or something similar. From the data storage server, the attackers downloaded plaintext personal information for approximately 57 million riders and drivers. The unencrypted data included names, email addresses, and phone numbers of riders, and names and driver’s license numbers for over 600,000 drivers. Though breach disclosure laws differ in every state, most require public disclosure if names are exposed with driver’s license numbers, as this is considered a breach of security.
Despite Mr. Fletcher advising the hacker that the company’s maximum bounty was $10,000, the attacker demanded “high compensation” and stated they would only accept “six digits”. Uber eventually agreed to pay the attackers $100,000 in Bitcoin through the bug bounty site, HackerOne. Bug bounty programs are used by many companies to have outside sources (ethical hackers) identify potential security problems before the vulnerabilities are exposed and exploited by hackers. Once the newfound vulnerability has been reported to the company, the hackers are rewarded financially, some receiving very lucrative rewards for identifying the most serious security flaws. Additional details about the hacker’s identity, Internet hosting provider, and location were gained by Mr. Fletcher during the email exchanges. Part of the arrangement included the hacker’s guarantee to destroy the stolen data. Uber was satisfied with proof in the form of a virtual image of the attacker’s system. In addition, Uber representatives traveled to a Florida trailer park to meet the 20-year-old attacker known only as “Brandon,” for the signing of a non-disclosure agreement.
Under fire for several public scandals and in the midst of negotiating a settlement with the Federal Trade Commission (FTC) for the mismanagement of a previous data breach in 2014, Uber chose to actively cover up the breach. The company failed to publicly disclose the attack to any of its users or the FTC. Joe Sullivan, Uber’s chief security officer refused to acknowledge a breach had occurred and described the attack as an “authorized vulnerability disclosure”. However, in a congressional hearing in February 2018, John Flynn, Uber’s current chief information security officer, acknowledged that this particular bug bounty exchange was distinctly different in how the company normally handles bounty payouts. The attackers in this case not only uncovered a hidden vulnerability but they also maliciously exploited it by downloading the private data.
In November 2017, more than a year after the breach occurred the newly appointed chief executive officer, Dara Khosrowshahi, made the breach public and admitted Uber had intentionally hidden the extortion-based attack from both the public and the FTC. He stated that at the time of the breach, Uber immediately secured the data preventing further access by unauthorized individuals and implemented security measures to strengthen controls and restrict access to the cloud-based storage account. He promised to perform a thorough internal investigation as well as having independent forensic experts investigate the breach to determine exactly how the hack occurred. Dedicated to improving Uber’s reputation, Khosrowshahi stated, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes”. Uber announced they have no intention of notifying individual customers whose accounts may have been compromised, stating instead that the company has, “seen no evidence of fraud or misuse tied to the incident”. The company further stated it will instead monitor affected accounts by flagging them for additional protection against fraud. Uber maintains that the independent investigation performed by the outside security firm, Mandiant, found no indication that trip information, dates of birth, social security numbers, credit card or bank account numbers were stolen.
Security experts say that hackers could use the stolen data for phishing attacks or possibly combine the types of data stolen in this attack with data stolen in other attacks then use the combined information for identity theft. The resulting damage to consumers may not be known until well in the future, if and when any problems arise.
If the attackers did, in fact, destroy the data as promised and since there have been no reports of incidents involving the stolen personal information, it seems Uber is the only one suffering from this breach simply because they chose to cover it up rather than report it as required by law. External law firms representing Uber advised disclosure of the incident should have been made when it was discovered. With a federal investigation and lawsuits filed by 43 states, Uber’s legal troubles are far from over. As a consequence of their roles in the cover-up and extortion payment, Joe Sullivan and Craig Clark, the lawyer who arranged the $100,000 bounty payment, were terminated. The cost, both financial and reputational will continue to affect the company for some time.
It has been said many times in the information security arena that the question is not if a security breach will occur, but when it will occur. The average corporate cost for a data breach is $3.62 million with $141 as the average cost per lost or stolen record. These costs include legal expenses, identity protection, regulatory interventions, remediation, increased customer service requests, and product discounts. With the lack of trust now in the affected organization, an expected and most unfortunate casualty is a loss in customer revenue. Organizations are more successful in retaining customers by building trust and loyalty prior to an incident as well as offering identity protection in the aftermath of an incident. Planning in advance and taking steps to mitigate breaches will ensure an organization’s ability to manage the event properly and reduce the likelihood of breaches taking place in the future.
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers. You can order our professional work here.