Breach, Compliance Management, Threat Management, Data Security

Uber’s delayed breach notification would run afoul of GDPR

If the Global Data Protection Rules (GDPR) had been in effect during the latest Uber hack, the ride-sharing company would have faced stiffed consequences – or maybe it would have chosen a more prudent, secure route by promptly revealing the attack that compromised the personal data of 57 million customers and drivers, and by taking bold steps to mitigate the damage.

GDPR, which takes effect next May, is “designed specifically to deal with such occurrences. Under [GDPR], Uber would have had to notify the regulator within 72 hours of being aware of the hack (not the year or so in this case). And assuming the regulator found them in breach of the regulations, they would have to pay a fine of four percent of global annual turnover, or 20 million Euros, whichever is higher,” said Dean Armstrong QC, cyber law barrister at Setfords Solicitors. “As Uber hasn't released its figures, we can't speculate as to the potential final cost of the fine, but it is fair to say the regulator would come down hard, and under the regulations it would likely be in the tens of millions.”

But the company will likely feel the biggest impact on “reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator,” said Armstrong. “The U.K. and Europe are adopting stricter rules on personal data protection for precisely this kind of event."

Attackers lifted a set of login credentials from a GitHub coding site that Uber software engineers used, then accessed an infrastructure account where computing tasks are handled, only to find a treasure trove of archived driver and rider data.  

“The hack wasn't sophisticated – the digital thieves broke into the accounts of two Uber engineers on Github, where they found the passwords to some online data storage that contained the personal info, according to the report,” said Imperva CTO Terry Ray.

“This appears to be a prime example of good intentions gone bad. Using an online collaboration and coding platform isn't necessarily wrong, and it isn't clear if getting your accounts hacked on these platforms is even uncommon,” said Ray, who flagged as problematic the use of live production data “in an online platform where credentials were accessible in Github. “Sadly, it's all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.”

Contending that Uber “played a risky game” by concealing the incident and paying the hackers $100,000 to delete the purloined data, which will likely embolden bad actors to steal personal information from other organizations, Armstrong said GDPR's eminent arrival pointed to “a huge shift in thinking towards this issue.”

Now Uber is left “to navigate a labyrinth of financial and state breach notification laws given a user base spanning the globe,” particularly GDPR, said Mark Sangster, vice president and industry security strategist at eSentire.

Sitting on the breach for a year could cause untold damage for the company, its employees and customers. “While comedians and senators are finding out that they can't keep sexual harassment under wraps, companies are learning that they can't bury the news when they get hacked,” said Jeff Williams, CTO and cofounder of Contrast Security. “In this case, Uber was legally required to disclose this breach, and I'm sure there will be repercussions.” 

Williams called the breach likely “the tip of the iceberg.” While some incidents “don't legally require disclosure,” they “would outrage consumers if they knew,” he said. “And most organizations are sitting on mountains of unfixed vulnerabilities that don't require disclosure. Another outrage.”  

Sangster finds Uber's response baffling, after a series of mega-breaches that rocked organizations should have been wake-up calls. “It's fascinating that even in light of the mega-breaches of 2016 and 2017, companies consider non or delayed breach disclosure as an option,” he said. “The number of records compromised in the Uber hack far exceeds the entire population of Canada. We're not talking small beans, here.”

Maintaining that “companies today have no excuse when it comes to cybersecurity controls,” since they have an abundance of tools and guidelines to choose from, Sangster said, “in Uber's case, you have a company already enduring a PR firestorm. Mix in a significant one-year-old, non-disclosed breach, and that storm suddenly becomes a hurricane.”

Sangster fully expects that the Uber breach “will set new precedents when it comes to regulatory compliance and disclosure mandates.”

Indeed, after the GDPR takes effect in May, “‘doing an Uber' will be unacceptabl,e so organizations need to be working overtime now to get their technology, people and processes ready for compliance,” said Simon Townsend, chief technologist, EMEA, for Ivanti and an expert in GDPR best practices.

The decisions of the ride-sharing company to delay notification and pay hackers not only stands to sully Uber, but security organizations on whole. “While I suspect most will rest the blame squarely on Uber as a corporation and its well-known lack of leadership, it's the choices made by the Chief Security Officer [Joe Sullivan] and one of his deputies that are the most shocking part of this data breach,” said AsTech Chief Security Strategist Nathan Wenzler, who said that legitimate security professionals know better.

“The community at large is built upon integrity in all matters,” said Wenzler. “When you act as the front line of defense for an organization, it is imperative that your security team operates in the most honest and forthright manner possible.”

Mark Orlando, CTO for cyber services at Raytheon, noted that “any time companies suffer a large data breach, they run the risk of making things worse, both for their customers and for the larger community.”

Since “hackers talk to each other,” Uber in its silence “has empowered them for a year, where they could have brought this into the light, raised public awareness of the threat and made some good come of this,” said Orlando. “Instead, the company gave its attackers exactly what they wanted – a lot of money, and a reason to try this again and again.”

The morality of paying the hackers might be up for debate, but “the lack of responsible disclosure in reporting the incident to regulators is something every security professional should consider to be an unforgivable crime,” Wenzler said. “We're here to protect people's identities and critical data, and when the worst happens, we must do all we can to mitigate the damage; inform people that their data may be compromised, so they can be more aware and vigilant of misuse; and ultimately, help educate them on what they can do to protect themselves.”

Uber must account for its actions, the pros said. “Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval workflow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed?,” said Ray. “Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today's enterprises.”  

Unfortunately, Uber is not alone in security foibles and its massive breach underscores the need for all organizations to be accountable and step up their security. “When a company places data in the public cloud, they are ultimately responsible for the security of that data. Reminiscent of when, in the movie The Blues Brothers, John Belushi yelled at Carrie Fisher, ‘It wasn't my fault,' it was in fact very much his fault,” explained Bob Noel, director of strategic relationships and marketing for Plixer. “Companies can no longer brush off responsibility for the loss of personally identifiable information (PII)” and should “begin to require documentation providing best practice security controls are in place” from their third-party cloud providers.  

“Until businesses stop saying that they take security seriously and actually start doing it, we will continue to see the list of breaches grow,” said Wayne Reynolds, vice president of security at Armor, noting the low impact and ease of implementing basic blocking and tackling of security controls. “Threat actors are fully aware that development/engineering environments typically have the weakest security within a business. These malicious actors will continue to target these areas until we response by stepping up the game and start securing them as production assets.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.