The news was just released that a massive breach hit Uber in October of 2016. The personal information of 57 million Uber users and 7 million Uber drivers were stolen, including names, email addresses and phone numbers. In addition, about 600,000 drivers’ license numbers of Uber drivers were also stolen. This type of breach typically warrants a notification to the affected users as well as notification to regulators of the breach. Instead, Uber paid the hackers $100,000 to ‘delete’ the data and not go public with the breach. Today Uber fired the CISO and a deputy of the CISO because of their role in covering up the breach.
So what happened? How did the hackers gain this data? Unfortunately, this seems to be a very easy attack. The hackers first went to one of Uber’s public GitHub repositories. The attackers scoured the files in the GitHub repository and eventually found credentials which allowed them to login to Uber’s AWS account. The AWS account had archives of personal rider and driver information. So in a nutshell, all the attacker had to do was look through GitHub, find some creds, login to AWS and download data. Way too easy.
What’s even more troubling is the fact that this breach occurred while Uber was being investigated for a breach that occurred a few years earlier. Instead of coming clean and informing affected users, Uber decided to cover up the breach and not inform anyone affected. It also paid the hackers $100,000 to ‘delete’ the data and not go public. There’s absolutely no assurances the hackers deleted this data; they could still have it and hold it for ransom whenever they want. Uber has truly failed in their duty to their customers to protect their privacy, and even went so far as to actively prevent their users from finding out that a breach took place. This is simply unacceptable. Companies need to protect themselves from breaches wherever possible, but if a breach does occur, they have an obligation to their user base to inform them they could be at risk.
We’ll keep our ears out for more information as this story unfolds and keep you updated.
This is a Security Bloggers Network syndicated blog post authored by Ryan O'Leary. Read the original post at: Blog – WhiteHat Security