Uber Technologies disclosed that their data was breached in 2016. According to reports, Uber paid $100,000 to attackers in order to cover up the breach and keep it in secret.
Dara Khosrowshahi, businessman, and CEO of Uber announced that the attack had an impact on 57 million Uber users’ data, their names, email addresses, and telephone numbers. When it comes to Uber drivers’ data, approximately 600,000 drivers’ names and licenses numbers were breached in the United States.
The CEO indicated:
I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.
Uber also announced that the data was breached before D. Khosrowshahi became their CEO. Bloomberg provides the information that the co-founder and former CEO of Uber, was informed about the attack in November 2016. In addition, Joe Sullivan, former chief security officer of Uber and one of his deputies lost their jobs because of the attack.
D. Khosrowshahi also reported that “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Other sensitive information including users’ credit card data, Social Security numbers or trip location and history were not accessed.
According to report at Bloomberg, two hackers accessed the Uber data on Amazon Web Services by using software engineer credentials.
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
Just after the data was kidnapped, hackers informed Uber and demanded money.
Uber wasn’t the only one who suffered the data breach. Leaky AWS storage servers also had exposed data on the Internet. Corporations like Verizon, Deep Root Analytics, and Dow Jones also were found to leak user information on the Internet. In addition, Equifax revealed a data breach that impacted over 143 million users.
Terry Ray, CTO at Imperva was also interested in Uber data breach.
Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.