Is the Uber hack a sign of worse data breaches to come?
As news broke last week about the massive 2016 Uber hack (and subsequent cover-up), we couldn’t help but wonder: is anybody’s data safe anymore?
Over the last few years, we’ve witnessed some of the worst data hacks in history:
- Yahoo, which compromised more than 3 billion user accounts in separate attacks in 2013 and 2014
- Equifax, which left sensitive information exposed (including social security numbers and driver’s license numbers) for more than 143 million Americans in 2017
- Verizon, which exposed at least 14 million customer records in 2017 due to an unprotected third-party server
- MySpace, LinkedIn, Target, Home Depot and numerous others
But something about the Uber hack feels different, doesn’t it?
Uber has had its fair share of controversy over the years. Part of that comes with the territory of being one of the biggest, most well-funded and disruptive tech startups in history.
But that’s kind of the problem …
We’ve got an uber-dilemma here
Uber is supposed to be this groundbreaking technology company that we trust with our lives, literally: as both riders inside Uber vehicles and as users who consent to giving the company a trove of data: our whereabouts, our credit card numbers, our personal information and a whole lot more.
So when Uber announces that hackers successfully stole private information for 57 million users, and tried to cover it up, well … that raises lots of red flags.
If an innovative and supposedly tech-forward company like Uber is susceptible to a massive data hack, then who really is safe?
You don’t have to be an Uber user to be worried about this. Today’s biggest tech companies have become ingrained into our daily lives. We want to believe our most sensitive data is secure, but as we’re learning more and more, it’s not.
How did the Uber hack happen?
A closer look at Uber’s data breach might offer a little solace. The hack was partly due to a human-caused lapse in security, rather than some new sophisticated cyberattack.
In short, Uber left its guard down.
According to Wired, developers at Uber had published code on the software repository Github that contained their usernames and passwords. Although it’s not yet clear how hackers accessed the private Github account, hackers used the credentials to gain access to “the developers’ privileged accounts on Uber’s network.” And with that, the hackers were able to access sensitive rider and driver data stored via Amazon Web Services (AWS) servers.
The stolen data included:
- Names, email addresses and phone numbers for 57 million Uber users
- Names and driver’s license information for 600,000 drivers
In a blog post by CEO Dara Khosrowshahi, Uber said it has no evidence of “fraud or misuse” of the stolen data, though that doesn’t guarantee it hasn’t happened. Since drivers’ license information was breached, the company will be offering them free credit monitoring and identity theft protection. Uber said it will also actively monitor all affected user accounts for suspicious activity.
A $100,000 payday for hackers
Ignore, for a moment, the fact that we trust a large technology company like Uber to keep our data safe.
The most egregious part of the Uber hack story isn’t the hack itself. It’s that the company paid the hackers $100,000 to delete their copies of the stolen data, and then the company covered it all up.
Look, we get it. Sometimes companies have no choice but to pay their attackers, as we’ve seen in numerous ransomware incidents. But this is something entirely different and shadier.
So far, it does not appear that this was a case involving ransomware. The data was not encrypted. After stealing Uber’s information, the two hackers demanded the company pay them $100,000 to delete their copy of the data. Uber paid up.
But the company didn’t want anyone to find out.
The New York Times reports that Uber tracked down the hackers and ordered them to sign nondisclosure agreements to keep quiet about the incident. The company also concealed the payment by making it appear on paper as “bug bounty” – the term for when hackers are paid to hack a company’s software to help identify vulnerabilities.
The deal was arranged by former CEO Travis Kalanick and CSO Joe Sullivan, who was fired after the revelations came to light. The company did not alert the authorities at the time of the incident.
The consequences for Uber
It’s not illegal to pay ransom money to attackers, but Uber’s handling of the hack may have broken federal and state laws.
As Wired writes, “By failing to publicly disclose the breach for over a year, the company has likely violated breach disclosure laws, and should be bracing for hefty fines in many states where its users live, as well as its home state of California.”
It’s also important to remember that Uber just settled with the FTC in August for its 2014 privacy breach, when a hacker gained access to private information on more than 100,000 drivers. If anyone from Uber gave false statements to the FTC over the course of that investigation, then that would be a federal criminal offense.
On Monday, a group of U.S. senators sent a letter to the company, saying the data breach “merits further scrutiny.” The lawmakers are requesting more specific information about the hack, including a timeline of when it happened, how long it was known and by whom.
Legal repercussions aside, the incident is yet another huge blow to Uber’s credibility, resulting in new calls on social media for users to #deleteuber from their smartphones.
The consequences for users
What can hackers do with your most basic personal information, such as names, phone numbers and email addresses? Kind of a lot, actually.
That information can be combined with other data points from other breaches for identify theft and for phishing attacks. Uber may not have leaked credit card information or social security numbers, but if, for example, your leaked Uber info was matched with leaked data from the Equifax breach, then it puts a lot of power into the hands of hackers to obtain loans and credit cards in your name.
And as Wired aptly writes, all of this “contributes to the dreary, steady erosion of the average person’s control of their personal information.”
What has Uber said about this?
So far, Uber’s response to the revelation has been mostly limited to the blog post by CEO Dara Khosrowshahi, who was hired last August after the ousting of Kalanick.
Here’s how he described the various elements of the incident:
- The hack: “…Two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
- The data: “…Outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
- The response: “…At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
The blog post does not specifically mention the $100,000 paid to the hackers, or the “cover up,” or the non-disclosure agreements. Those details came to light after interviews with “several current and former employees who spoke on the condition of anonymity” with news media.
Khosrowshahi ended the post saying, “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” I guess we’ll see.
What to do if you think you were affected
There’s no way to know for sure if your account was affected by the Uber hack, and the company claims that users don’t have to take any action.
However, it’s a good idea to change your password anyway, and keep close tabs on all your accounts, as you should be doing already. Be especially wary of any email notices from Uber requesting personal information. With a hack like this, where only basic personal information was leaked, phishing scams are the greatest risk.
If you receive an email asking you to change your password, double-check the sender information. Even if it appears legit, update your account directly through Uber’s website, instead of clicking the link in the email.
Is a data doomsday coming?
If you follow cybersecurity news like we do, then you have plenty reason to be concerned about future data breaches.
If a large tech company like Uber can be hacked, then others can too.
Just this week, another well-known site, Imgur, admitted to a 2014 data breach in which 1.7 million email addresses and passwords were leaked.
More big data breaches will happen—it’s just a matter of when. And we’ve only seen the beginning of how destructive these attacks can be. In most ransomware attacks, for example, data is only encrypted, not stolen. Imagine a scenario in which ransomware is used to cripple your business while masking another simultaneous attack: data theft.
- How much might a company be willing to pay to stop hackers from selling that sensitive data or making it public?
- How common will these attacks become if companies keep paying up?
We don’t know the answers to those questions, but we do know this: keeping your data protected has never been more important.
Get more information