Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.
Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to “delete the data”. They positioned the incident as a “bug bounty reward”. Yeah, sure!
Victim Of A Simple Credentials Phishing Attack?
Here’s how the press describes the hack: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.
From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online:
Failure To Disclose
Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year.
Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.
SNAFUS are bad, but cover-ups can kill you
No doubt regulators will also be asking tough questions about why they were not informed about the breach until this week, and class-action lawsuits… heeeere we come!
Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope that they are right, but it is highly unlikely that these records were deleted. It’s practically sure they are sold on the dark web or will be. There are many ways that data could be abused by criminals without Uber ever becoming aware.
All organizations would be wise to remember this: SNAFUS are bad, but cover-ups can kill you. You can ask forgiveness for being hacked and handle your disclosure correctly, but many people will find it harder to forgive if you deliberately covered up the truth.
Expect Uber-themed phishing attacks
Now that this is all over the press, the bad guys are going to send Uber-themed phishing attacks in a variety of flavors. First will be emails with warnings like “Your Uber Account Has Been Compromised” sending people to compromised websites where indeed their credentials will be stolen! You can imagine online criminals are going to have a field day with this, since it’s all over the press and people are going to get worried. Here’s a sample:
Stay safe out there.