[BreachExchange] Uber's Biggest Mistake: It Wasn't Paying Ransom

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 5 14:04:59 EST 2018


Uber has discovered that when it rains, it really pours. Since Bloomberg
broke the news that the ride-hailing giant had suffered a massive breach of
more than 57 million customer and driver records, it has been hit with
three lawsuitsand five independent investigations from the attorneys
general of New York, Missouri, Massachusetts, Connecticut, and Illinois.
And that's not to mention increased scrutiny of its practices by the
Federal Trade Commission (FTC).

So far, media coverage has focused on Uber's decision to pay the attackers
$100,000 in return for restoring the deleted the data and the company's
yearlong concealment of the incident. Some industry pundits have
suggestedthis type of response to attacks is helping fuel cybercrime. But
focusing on the sensational aspects of the story alone obscures a much
bigger, industry-wide mistake: the failure of companies to accept
responsibility for keeping data safe because of a management perception
that cyberattacks "happen to someone else."

Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it
is not dissimilar to what many firms do to outsmart criminals; they
purchase the latest malware in order to identify its exploits and defend
against them. Incurring a cost to secure the data was a vital part of
Uber's damage control strategy.

That said, allowing the damage to occur at all was where the company went
wrong. Because data flow was not accurately monitored, attackers were able
to go unnoticed while they stole millions of customer names, email
addresses, and phone numbers, as well as the details for half a million US
drivers, without being caught.

The theft highlights the importance of robust and fast detection in
limiting the damage caused by attackers. Research that Cyber adAPT
commissioned with Aberdeen Group shows that rapid attack detection can
limit the business impact of breaches by 70% on average. With better
detection procedures, Uber could have limited the flow of data to
attackers, notified regulators faster, and avoided a substantial media

Ignoring Data Responsibility
The harm done to Uber's reputation by this breach is significant, but it is
a particularly bitter pill for the company to swallow, considering its
existing data security record.

In 2014, the company faced two data disasters. First, cybercriminals
exposed the names and licenses of 100,000 drivers. Then the company
acknowledged the existence of a software tool called "God View," which
enabled employees to track customer locations in real time. Following these
incidents three years ago, Uber entered discussions with the FTC and only
reached an agreementin August 2017, stating that the company must submit to
third-party audits every 24 months for the next two decades.

Even though Uber had already been censured about poor data management, it
did not learn from its mistakes. Instead, it has taken the same route as
many companies: assuming data breaches are something that happen to other
businesses and that there is no immediate need to strengthen data
protection measures.

In reality, online attacks are not isolated events, and attackers can
target anyone, sometimes more than once. As digital transformation makes
data essential to business and leisure, everyone — from the man on the
street, to global businesses — is becoming a cybercrime target. For those
who hold valuable insight, there is therefore an unavoidable responsibility
to keep it secure.

This brings us to a key question: What can Uber and other companies do to
own their responsibility while standing up against cybercrime? The answer
involves adopting a detection and prevention-focused approach to security —
one that takes the complicated nature of modern connectivity into account.

Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the
office, employees can access company systems from anywhere using a variety
of technologies from laptops and mobile to Internet of Things (IoT)
devices. Consequently, networks are more flexible, but also more
fragmented. This means that there is greater potential for attackers to
find loopholes. To defend data, businesses must mitigate threats by
constantly assessing every device on their network and deploying tools that
can pinpoint and remove any suspicious activity.

Of course, establishing total control of systems is not a simple task —
especially for large corporations with 40 million monthly customers such as
Uber. But by deploying a continually risk-aware methodology, companies can
ensure they are prepared for inevitable cyber challenges and demonstrate to
their customers that they can be trusted with sensitive data. Indeed, if
the statement issued by Uber spokeswoman Molly Spaeth is anything to go by,
this is exactly the direction the company plans to move in: "We are
committed to changing the way we do business, putting integrity at the core
of every decision we make, and working hard to regain the trust of
consumers," she said in a statement.

Whether it is too late for Uber to save its reputation remains to be seen.
The company has made definitive changes, such as firing chief security
officer Joe Sullivan and hiring Matt Olsen, former general counsel at the
National Security Agency. However, more than fresh leadership is required
to restore its data credentials. As the myriad of legal suits leveled at
Uber indicate, failing to take responsibility for data security has its
consequences. Rather than scrambling to deal with attacks after the fact,
Uber needs to focus on improving their detection and neutralization
abilities — adopting tools that will help them work within data laws, not
outside of them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180105/83bc62b2/attachment.html>

More information about the BreachExchange mailing list