Uber Concealed Breach of 57 Million Accounts for a YearFirm Paid Hackers $100,000, But Was It Bug Bounty Reward or Extortion Payoff?
Uber paid two hackers $100,000 to keep quiet about a 2016 breach that exposed 57 million accounts belonging to customers and drivers, Bloomberg reports.
See Also: The Global State of Online Digital Trust
The data included names, email addresses and phone numbers for registered users. It also included personal information for 7 million drivers plus 600,000 driver's license numbers, Bloomberg reports.
The belated disclosure of Uber's breach comes as U.S. legislators are investigating personal data security in the wake of "big three" credit bureau Equifax on Sept. 7 revealing its own, massive breach (see Congress Grills Equifax Ex-CEO on Breach).
The Uber breach will likely intensify debates over how quickly companies notify their customers after they have been breached and whether organizations are adequately auditing their systems for exploitable vulnerabilities or misconfigurations that hackers can exploit.
Already, Uber's $100,000 payment to hackers has raised eyebrows. As part of the payment, Uber required the two hackers to sign a nondisclosure agreement, concealing the damage, The New York Times reports. It notes that Uber portrayed the payment as a bug bounty rather than a ransom, but security experts say the whole episode appears to be troubling.
"When is a ransom not a ransom? When you retrospectively make it a bug bounty," Troy Hunt, a computer security and data breach expert, tells Information Security Media Group.
Full Investigation Promised
Uber's breach debacle lands in the lap of Dara Khosrowshahi, who took over as CEO in August from founder Travis Kalanick, who stepped down after a series of scandals.
Kalanick knew of the breach by November 2016, Bloomberg reports, but Khosrowshahi was apparently in the dark until only recently.
The new CEO says he's called for a full investigation. "You may be asking why we are just talking about this now, a year later," Khosrowshahi says in a statement issued Tuesday. "I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it."
How Uber Was Breached
Uber was breached after the two attackers obtained login credentials from a private GitHub site used by Uber's engineers, Bloomberg reports. The attackers then used the login credentials to pull data from an Amazon Web Services account which contained an archive of rider and driver information.
The attack scenario appears to point to yet another case of user error on the part of Uber. For an organization of its size, such a mistake is inexplicable, says Zohar Alon, CEO of Dome9, which specializes in AWS security monitoring.
"There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys," Alon says. "This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub."
After obtaining the data, the attackers emailed Uber to notify the company that it had been breached, Bloomberg reported. In his statement, Khosrowshahi didn't mention that a ransom had been paid but wrote that the two individuals responsible for the breach had been identified and that Uber "obtained assurances that the downloaded data had been destroyed."
Bug Bounty Rules
His disclosure raises further questions about whether the hackers were simply paid to keep quiet. Hunt notes that most bug bounty programs have rules that would disqualify claimants who downloaded such a large amount of data from a system.
Hunt says that "the only reason you would do that" - reclassify a payoff as being a bug bounty reward - "is to cover up the fact that it is a data breach."
Uber launched a bug bounty program in March 2016 through HackerOne, one of several companies that set up structured rewards programs for other companies. The programs have helped smooth out conflicts between companies and independent researchers who find security flaws, which have too often escalated into outright disagreement and uncoordinated vulnerability disclosures.
Uber didn't immediately respond to a request for comment about whether it notified law enforcement agencies about its breach.
The FBI recommends that organizations never pay ransoms because they directly fund criminals and encourage them to continue their attacks, often against the same victim. But in the business world, executives may view ransom payments as a cost of doing business, and some cybersecurity insurance policies will help organizations negotiate with extortionists and pay ransoms.
Uber's Khosrowshahi says that as of Tuesday, two people who led the Uber's response to the breach are no longer working for the company.
One of those employees was Joe Sullivan, Uber's chief security offer, who's been fired, Bloomberg reports. A former federal prosecutor, Sullivan moved to Uber around April 2015 after serving as Facebook's CSO. The Wall Street Journal reports that Sullivan's deputy was the second person fired as a result of the investigation.
As Khosrowshahi deals with the fallout from this breach and Uber's delayed public notification, he says he plans to consult with Matt Olsen, co-founder of IronNet Cybersecurity and formerly a general counsel for the National Security Agency as well as director of the U.S. National Counterterrorism Center.
Olsen will "help me think through how best to guide and structure our security teams and processes going forward," Khosrowshahi says.
So far, Uber says it has not seen any signs that the breached data led to fraud or was otherwise misused. For its users, Uber says that outside digital forensic experts did not see indications that "trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded," according to a separate statement aimed at affected customers who have booked rides via the service.
Uber drivers' details were also breached, and any drivers whose driver's license numbers were exposed will be offered free credit monitoring and identity theft protection services, Khosrowshahi says, adding that Uber will also notify regulators.
The United States lacks a mandatory data breach notification requirement at the federal level. But almost every state now has laws that require organizations to inform state residents if their personal information has been or may have been exposed in a data breach. States' attorneys general have not been shy about prosecuting organizations that do business in their state if they believe their security controls are lackluster (see Report: Equifax Subpoenaed by New York State Regulator). Uber can expect to face scrutiny over its cybersecurity practices as well as potential Congressional hearings over what it knew, when it knew it and why it didn't warn victims more quickly.
"There are very few compelling arguments that Uber did not have a duty to report the breach of the information to affected persons and/or appropriate state regulators," Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, tells ISMG.
There is also the question of whether the breach would qualify as a "material risk" if Uber was a publicly trade company. If in the future it becomes one, the breach would have to be disclosed in filings to the U.S. Securities and Exchange Commission, Pierson says.
Although Uber may not be legally required to notify regulators if customers' personal information - names, phone numbers and email addresses - was exposed in a breach, failing to alert authorities carries reputational risks, Pierson says.
That's why it's better to err on the side of caution, he argues. "There is a case to be made for being transparent with the entire population if it triggers certain risk thresholds and depending on business realities."
For Uber, those business realities include a succession of scandals that have put customers' faith in Uber, as well as its ability to operate in some countries, in jeopardy. "Uber's reputation has been in the gutter, so it would be better to control the bad news and release it yourself as opposed to acting solely based on a legal analysis," Pierson says.
Executive Editor Mathew Schwartz also contributed to this story.