Euro Security Watch with Mathew J. Schwartz

Breach Notification , Breach Preparedness , Breach Response

Fast and Furious Data Breach Scandal Overtakes Uber Ride-Sharing Firm Reportedly Fired CSO for Concealing 2016 Breach
Fast and Furious Data Breach Scandal Overtakes Uber
Photo: Sandeepnewstyle via Wikimedia Commons

Move over Equifax. There's a massive new data breach notification in town.

See Also: Ransomware: The Look at Future Trends

Ride-hailing firm Uber, which offers a platform that connects drivers and riders, warned Tuesday that it suffered a massive breach that began in October 2016 (see Uber Concealed Breach of 57 Million Accounts for a Year).

Uber says 57 million riders' personal details - names, email addresses and mobile phone numbers - were exposed. It has yet to release a list of all affected countries. Uber says 600,000 of its U.S. drivers also had their names and driver's license numbers exposed.

The breach appears to have affected a substantial portion of Uber's riders and drivers. Last year, Uber said it had more than 40 million monthly active users. As of May, it appeared to control about 77 percent of the U.S. ride-hailing market.

Uber's data breach notification follows massive breaches first disclosed this year by Equifax, Yahoo and the U.S. Securities and Exchange Commission. Of all those organizations, only Equifax came clean relatively quickly about its breach.

Thrills, Spills, Political Theater

If the Uber breach saga unfolds like the others, expect to see a fair amount of political theater in the form of Congressional hearings that don't result in any new consumer protection laws. Also expect probes by states' attorneys general, which may result in fines and settlements forcing Uber to improve its cybersecurity practices. Regulators in any other countries with citizens whose personal data was exposed also will scrutinize Uber (see Driving Privacy Regulators Crazy: UK Probes Uber Breach).

Already, Uber is facing questions about why it waited more than a year to issue a public alert about the breach. A sample data breach notification Uber filed with the state of California on Wednesday reveals that hackers appeared to be inside its systems from October 2016 to November 2016.

Excerpt from Uber's sample breach notification letter to victims, dated Nov. 22, 2017.

Uber's breach notification letter says it will offer U.S. victims 12 months of prepaid identity theft monitoring services via Experian.

But this is all part of the well-worn data breach script. Indeed, after some public excoriation by Congress and settlements with states, Uber can expect to get back to business as normal. Because if this breach follows the template for nearly every other data breach - except for bitcoin exchanges that go bust or businesses like Yahoo that discover their breaches while in negotiations to be acquired - Uber's stock price will have recovered within 12 months (see Cynic's Guide to the Equifax Breach: Nothing Will Change).

Rolling Scandals

Uber's HackerOne program overview, pictured on Nov. 22, 2017.

News of the breach is only the latest in a series of seemingly never-ending scandals at Uber, which investors have valued at $68 billion. The firm faces a number of probes and lawsuits over alleged sexism, harassment and the theft of self-driving car trade secrets from Google parent Alphabet.

Now, several media outlets have reported that Uber paid two hackers who discovered the breach - and exfiltrated data on 57 million users - $100,000 in return for promising to delete the data and remain silent about the whole incident.

Uber has positioned the payment as a bug bounty. But some security experts say the one-off $100,000 payment looks suspiciously like an extortion payoff.

To date, Uber has paid $1.3 million in bounties to 778 researchers via the HackerOne bug bounty program, which works out to $1,660 on average for each vulnerability report.

But the largest bounty Uber says it pays via HackerOne is $10,000 - a far cry from its reported $100,000 payout.

Who Covered Up?

Beyond the payment particulars, numerous questions remain. Who inside Uber knew about the breach, when did they know it and why didn't they alert victims?

Sample data breach notification filed by Uber with the state of California on Nov. 22.

Uber didn't immediately respond to my request for more details, including whether it has alerted law enforcement agencies and regulators to the breach as well as the full results of an investigation launched last month by its board of directors. Bloomberg reports that this investigation first brought the 2016 data breach to the board's attention.

Uber said its investigation resulted in the dismissal of CSO Joe Sullivan and his deputy, Craig Clark, for alleging covering up the breach, the Wall Street Journal reports.

Uber CEO Dara Khosrowshahi threw former CEO Travis Kalanick under the "on-demand car" - so to speak - after saying Tuesday that he'd only recently learned about the breach. Khosrowshahi, who replaced Kalanick less than three months ago, says he then immediately launched an investigation over Uber's "failure to notify affected individuals or regulators last year."

Khosrowshahi also apologized for the breach and tardy breach notification. "We will learn from our mistakes," he said.

Corporate Infrastructure Breached

In his Tuesday statement, Khosrowshahi attempted to reassure investors by saying that the hackers only gained access to cloud-based third-party infrastructure used by the firm, which Bloomberg reports was a private GitHub site used by Uber's engineers. "The incident did not breach our corporate systems or infrastructure," he claimed.

Security experts suggest otherwise. "Hate to be the one to break it to you Dan, but that 'third-party cloud-based service' *is* your corporate systems and infrastructure, functionally and legally," says Rik Ferguson, vice president of security research for anti-virus firm Trend Micro, via Twitter.

Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, tells me that engineers choosing to take their data outside the company in an apparent "shadow IT" move isn't unusual. "Most of the time these are locations where individuals ... seek to maintain their current engineering speed and velocity to get business done," he says, in spite of whatever corporate best practices or policies or rules laid down by the information security team might specify.

For its part, Uber's CEO says his company has now put in place the access controls it should have been using on the cloud service to begin with. He also says Uber "obtained assurances that the downloaded data had been destroyed" from the two hackers who found and exfiltrated data for 57 million accounts.

Question for Uber investors and users: Do you feel reassured?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network