Management Coverup At Uber After 57m Customers Hacked

Uber concealed a massive global breach of the personal information of 57 million customers and drivers in October 2016, failing to notify the individuals and regulators, the company acknowledged on Tuesday 21st November.

Uber confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet. Uber also disclosed that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.

Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.  The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.
The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private.

The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board.
The two hackers stole data about the company’s riders and drivers, including phone numbers, email addresses and names, from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.

Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. 

To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty”, a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.
The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.

The breach at Uber is far from the most serious exposure of sensitive customer information. The two breaches that Yahoo announced in 2016 eclipse Uber’s in size, and an attack disclosed in September by Equifax, the consumer credit reporting agency, exposed a far deeper trove of personal information for a far larger group of people. In bothe cases the management of these companies failed to follow best practice in crisis management in their handling of the breaches, as Columbia Business School's Adam Galinsky explained in a recent interview. 

But the handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws. The New York attorney general’s office said on Tuesday that it had opened an investigation into the matter.

Dara Khosrowshahi, who was chosen to be chief executive of Uber in late August, said he had only recently learned of the breach. “None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in a company blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

A spokeswoman for Mr. Kalanick declined to comment.

The revelation of the breach and the way it was kept quiet renewed questions about the tenure of Mr. Kalanick, who has faced criticism over his management style and practices after Uber came under scrutiny for its workplace culture this year. The New York Times also reported on a secret program called Greyball that had been undertaken on Mr. Kalanick’s watch, in which Uber staff members surveilled law enforcement officials in order to evade them. Since his exit as chief executive, he has been sued by one of Uber’s earlier investors for fraud.

The breach is also a black mark for Mr. Sullivan, who was a prominent figure in the information security industry. Mr. Sullivan joined Uber as the company’s first chief security officer in 2015, after serving as the head of security at Facebook for seven years.

Unlike many cybersecurity executives, Mr. Sullivan was previously a lawyer and had studied cyber-law at the University of Miami. He began his career in the technology industry as a federal prosecutor during the tech boom of the late 1990s, working at companies including eBay in 2002, where he was head of trust and safety. 

The company’s decision to conceal the breach and pay the ransom quickly raised questions among security experts. Many have repeatedly warned companies against paying hackers a ransom to cover up breaches or return stolen data, advice that was included in a 2016 statement from the FBI And several states including California have laws mandating that companies disclose when they are breached by hackers.
“Companies are funding organised crime, an industry of criminals is being created,” said Kevin Beaumont, a cybersecurity expert based in Britain. “The good guys are creating a market for the bad guys. We’re enabling them to monetise what years ago would have been teenagers in bedrooms breaching companies for fun.”

Uber has experienced breaches before. The company was hit with a data breach in May 2014, an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.

This latest breach puts Uber in another difficult situation just as the company is working to repair its battered image and preparing to seek an initial public offering in 2019. 

Mr. Khosrowshahi has characterised his tenure at the company as “Uber 2.0.” As part of that, he has tossed out the aggressive corporate values that were prized by Mr. Kalanick and given the ride-hailing service a new list of values that includes “doing the right thing. Period.”
Uber has hired Matt Olsen, former general counsel at the National Security Agency, as an adviser, and has retained Mandiant, a security firm, to conduct an independent investigation of the security breach. Uber said Mr. Olsen planned to reorganise the company’s security team.

But the damage has already been done, and Uber officials are aware of the long road back to good standing with the public.

New York Times:            Guardian:    

You Might Also Read: 

Uber’s U-Turn On User Watching:

Uber Faces A Criminal Probe In The US:

Google Lawsuit Could Be Fatal For Uber:

 

 

« Computers Say ‘No’ But AI’s Decisions Must Be Fair & Transparent
A Response Solution to Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Security Compass

Security Compass

Security Compass, the Security by Design Company, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows.

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

National Cyber-Forensics & Training Alliance (NCFTA)

National Cyber-Forensics & Training Alliance (NCFTA)

NCFTA is a trusted alliance of private industry and law enforcement partners dedicated to information sharing and disrupting cyber-related threats.

PROMIA

PROMIA

PROMIA is in the business of providing solutions that are designed to support highly secure, reliable, scalable and interoperable business applications.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

ValueMentor

ValueMentor

ValueMentor is a leading cyber security service provider in the Middle East. We enable clients to reduce risk by taking a strategic approach to cybersecurity.

Avertro

Avertro

Avertro helps leaders manage the business of cyber. We help explain cybersecurity to executives, forecasting outcomes, right-sizing your spend, and validating your cyber strategy.

BullWall

BullWall

BullWall is a digital innovator dedicated to fight cybercrime in its many forms. Our overarching purpose is to stop new and unknown strings of ransomware attacks in its tracks.

Stronger International

Stronger International

Stronger International provides expert cyber services and training to organizations and individuals to enhance IT and security knowledge.

Protelion

Protelion

The Protelion Security Platform is uniquely architected to deliver security solutions that combine greater protection, flexibility, and performance.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

Boltonshield

Boltonshield

Boltonshield provide a unique and proactive approach to cyber defence with managed security services, integrated technologies, and a team of security experts, ethical hackers and analysts.

Reach Security

Reach Security

Reach is the first generative AI platform purpose-built to empower enterprise security teams. With Reach, organizations measure, manage, and improve their enterprise security posture at scale.

Synersoft BLACKbox

Synersoft BLACKbox

Synersoft, the maker of path-breaking and disruptive technology for SMEs, now branded as BLACKbox, is an incubated and invested portfolio company of CIIE - IIM-Ahmedabad.