In 2016, Uber was hacked, but the breach was not disclosed until this Tuesday. Hackers accessed the personal information of millions of Uber users’, including names, email addresses and phone numbers and the license numbers of 600 000 drivers.
Uber informed that none of the sensitive information such as credit card numbers, bank account details and social security numbers had been revealed.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Dara Khosrowshahi, CEO.
The company knew about this hack. Allegedly, Uber’s security team has paid $100 000 to delete the data and keep the hackers quiet. There is no evidence if they actually deleted this information. Uber comments that so far, none of the data was used and it would not confirm that the ransom was paid.
Bloomberg was the first news portal that reported on this story:
What has happened so far?
- In late 2016, two hackers have accessed the information of 50 million Uber customers and 7 million drivers, including 600 000 U.S. license numbers.
- The company didn’t disclose this information either to the customers or the drivers.
- After finding out about the breach, Uber has allegedly paid $100 000 for the hackers to keep quiet and delete the data. Bloomberg reports that Joe Sullivan, Uber’s chief security officer at the time, is no longer with the company because of the breach and alleged cover-up.
- Uber CEO Dara Khosrowshahi, who joined the company this September, disclosed the incident on Tuesday, 21 November 2017.
- Uber claims that additional security measures were implemented, the hackers were identified, the vulnerabilities were fixed, and the situation is under control. According to the company, it monitors the affected accounts, and no further action has to be taken.
- A resource page for those affected has been set up.
- Uber offers credit monitoring and identity theft protection to the drivers free of charge.
What mistakes has Uber made?
Looking at the Ubers situation, it’s clear that the usual cybersecurity practices in big corporations need to be reviewed. Cybersecurity holes leave both clients and drivers unsecured. This situation leads to the point where people may no longer trust the company.
There are many best practices every company has to follow to keep proper cybersecurity hygiene. Mostly, it is smart to focus on the 3 fundamental principles of cyber security for business. We’ve discussed them in our previous blog post.
However, principles are one thing and reckless employers show quite a different story. Keeping important credentials in plaintext, in GitHub, is the third point in this story.
The biggest mistake that Uber has done, however, is hiding the truth from their clients, expecting to get away with a bribe. Such communication (or lack of) and incident response is one of the worst things a company can do. And this is what ex-CEO of Uber, Travis Kalanick, did, by shooting his company in the foot.
What’s the takeaway here?
While this is big, it is not as important as the breaches that were disclosed recently about Yahoo or Equifax. Private details of 57 million Uber riders and drivers were leaked. However, credit card information remained untouched and protected (at least from what we know at the moment and if we can trust what Uber say).
In this place, a user is in a position where he is not capable of doing something for himself. Proper password hygiene and all the other recommendations we were constantly giving out, are valid, but they are soon getting boring.
The thing in this situation is the loss of trust in a company and how one can react and what actions are to be taken. It’s not the data that has been stolen, it’s all these lies and trying to hide something.
And it’s not that the service of Uber is terrible. It’s great, and so is the idea of Uber. But the management and people responsible for specific actions are what drives this company lower and lower.
Should they succeed to recover after this one and start regaining user’s trust, what might happen next?
We care about the security of both homes and businesses. Almost 700 reviews on Amazon show that we are great at this.
Get CUJO and protect all your devices at once. Order today!