Uber data breach raises unsettling questions for infosec
Uber Technologies, Inc., is no stranger to self-inflicted wounds, but the latest visit to the infirmary goes far beyond the kinds of running-with-scissors episodes that have made the ride sharing company infamous.
Bloomberg Technology reported Tuesday that Uber suffered a massive data breach in the fall of 2016 that exposed names, email addresses and phone numbers of 50 million customers worldwide as well as the Personal information of an additional 7 million customers. The Uber data breach was concealed by the company for more than a year, according to the report, thanks to efforts by the company’s former CSO and another member of the infosec team.
Rather than disclose the breach to regulatory officials and notify affected drivers and customers, Joe Sullivan, who was ousted from his CSO position this week, and Craig Clark, another member of the security team, engaged in a cover up that included paying $100,000 to the hackers behind the breach to delete the stolen data and keep quiet about the incident.
Newly-appointed CEO Dara Khosrowshahi said he only recently became aware of the Uber data breach and pledged to take several actions to correct the dysfunction that led to the cover-up. “None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.
It’s easy to look at the Uber data breach and its ensuing cover-up and localize it to Uber’s rotten corporate culture. After all, the company has an established track record of engaging in unethical and possibly illegal practices while skirting government regulators.
However, sitting back and saying “Forget it, Jake – it’s Uber” may be missing a larger concern. There are a number of troubling aspects about this incident, starting with the fact that Sullivan was a former federal prosecutor with the U.S. Department of Justice. Presumably, he knew the legal risks of covering up the Uber data breach, to say nothing of the ethical implications.
It’s also worth noting that Sullivan isn’t an inexperienced nobody who might claim ignorance to proper infosec and data breach notification practices. He was the CSO at Facebook for more than five years and also served as the social networking giant’s associate general counsel (in a separate story, Bloomberg reported Sullivan also served Uber as deputy general counsel while he was CSO, though the company never officially named him to such a position).
Again, it’s easy to argue that Uber’s culture somehow got its hooks into a respected and experienced CSO and influenced him to the point where he abandoned his legal and ethical duties. But viewing this data breach cover up as an incident that only Uber could commit misses the writing on the wall.
First, I’ve heard numerous stories at infosec conferences this year about unnamed companies, including healthcare and financial services organizations, that were hit with ransomware and then paid the ransom without disclosing the incident to regulators or the public. Is a ransomware attack technically a data breach? That’s a debatable question and a subject for another time. But I suspect that a resistance to disclosures and notifications for security incidents, whether ransomware or network intrusions, has been growing within corporate America in recent years.
And second, this isn’t the first time an organization has engaged in a reckless cover up of data breaches. Last year a congressional investigation revealed the FDIC engaged in repeated cover ups of major cyberattacks and data breaches and even retaliated against whistleblowers within the department. And that’s just an example of where the cover up was both wanton and exposed later on. There are other curious incidents of breaches and cyberattacks that occurred many months and even years earlier and for mysterious reasons have only become public knowledge recently.
We may want to believe that only the truly reckless and lawless companies would do what Uber did, but I think it’s time to start asking how many other enterprises may be running with scissors and on the verge of gutting both themselves and their customers.