New information in the Uber hack of 57 million users is coming to light this morning. Now the company admits to paying the hackers $100,000USD to delete the stolen data and to keep quiet about it. The payoff isn’t the baffling thing here, it’s the request from Uber for the crooks to keep their mouths shut. Some people could take that action as a sign that Uber may be hiding other things as well.
Corey Williams, senior director of products and marketing at Centrify provided us with some commentary on the case.
History is replete with examples of individuals and organizations turning manageable problems into serious crises simply by trying to hide the truth.
While the Uber breach was large in terms of the 57M customer and driver records lost, if Uber had followed standard breach protocol by notifying authorities and impacted users, remediated the problem and laid out steps that they were taking to avoid future breaches, the impact would have been much less. Uber was under a legal obligation to notify regulators and to the impacted users and drivers. Instead they took extreme measures to hide the hack, paying $100k to the hackers to remain quiet and actively took steps to keep the truth under wraps.
How it happened
We know that the two attackers accessed a GitHub coding site used by Uber software engineers, found a set of login credentials, and used those credentials to access and infrastructure account that handled computing tasks for the company. Within that infrastructure, the attackers discovered the archive of rider and driver information.
And while the cover-up is making the headlines, this hack was utterly preventable. Unfortunately, companies continue to rely on a system of trust. Trust that a simple username and password is enough to know who is accessing their network and systems. Trust that perimeter security has eliminated all of the bad actors within the network. And trust that once on the network or system that the user should have access to any data or commands.
How it could have been prevented
A simple password is simply not enough. The time has come to no longer trust in too-easily stolen passwords for ensuring that users are who they say they are.
Instead, now is the time to move to a zero-trust approach that only grants access to services based on what we know about the user and their device. A zero-trust stance that ensures all access to services must be authenticated, authorized and encrypted.
Only then will these utterly preventable hacks start to subside.
It’s a bizarre story and there are new reports that the company has already fired some of the security staff. It will be interesting to see how regulators and especially the public react to not only the incident, but Uber’s handling of it.
Last Updated on November 22, 2017.