Risk & Repeat: Uber data breach has implications for infosec

The Uber data breach and subsequent cover-up could have troubling implications for enterprise security.

Last week, the ride-sharing company disclosed a previously unreported incident that saw threat actors steal personal information, names, email addresses and mobile phone numbers of 57 million worldwide customers, as well as the names and driver's license numbers of 600,000 drivers in the U.S. Uber admitted company officials effectively concealed the breach from customers and regulators for more than a year.

According to Bloomberg, which was first to report the breach, Uber CSO Joe Sullivan and Craig Clark, a senior lawyer with the company, led the response effort to the Uber data breach and paid the attackers $100,000 to delete the data and stay quiet about the incident. Bloomberg also reported the attackers gained access to a private GitHub site and obtained company login credentials, which were then used to access the databases hosted on Amazon Web Services.

The incident has raised questions about the ethics of data breach disclosure and customer notification. What type of security incident qualifies as a data breach versus a simple malware infection? Are companies that pay to recover data in ransomware attacks potentially violating data breach disclosure rules? Is the Uber data breach cover-up just an isolated incident, or are more enterprises engaging in this type of behavior?

SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.