Endpoint

1/4/2018
02:00 PM
Kirsten Bay
Kirsten Bay
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Uber's Biggest Mistake: It Wasn't Paying Ransom

Rather than scrambling to deal with attacks after the fact, companies need to focus on improving detection capabilities with tools that help them work within data laws, not outside of them.

Uber has discovered that when it rains, it really pours. Since Bloomberg broke the news that the ride-hailing giant had suffered a massive breach of more than 57 million customer and driver records, it has been hit with three lawsuits and five independent investigations from the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois. And that's not to mention increased scrutiny of its practices by the Federal Trade Commission (FTC).

So far, media coverage has focused on Uber's decision to pay the attackers $100,000 in return for restoring the deleted the data and the company's yearlong concealment of the incident. Some industry pundits have suggested this type of response to attacks is helping fuel cybercrime. But focusing on the sensational aspects of the story alone obscures a much bigger, industry-wide mistake: the failure of companies to accept responsibility for keeping data safe because of a management perception that cyberattacks "happen to someone else."

Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it is not dissimilar to what many firms do to outsmart criminals; they purchase the latest malware in order to identify its exploits and defend against them. Incurring a cost to secure the data was a vital part of Uber's damage control strategy.

That said, allowing the damage to occur at all was where the company went wrong. Because data flow was not accurately monitored, attackers were able to go unnoticed while they stole millions of customer names, email addresses, and phone numbers, as well as the details for half a million US drivers, without being caught.

The theft highlights the importance of robust and fast detection in limiting the damage caused by attackers. Research that Cyber adAPT commissioned with Aberdeen Group shows that rapid attack detection can limit the business impact of breaches by 70% on average. With better detection procedures, Uber could have limited the flow of data to attackers, notified regulators faster, and avoided a substantial media storm.

Ignoring Data Responsibility
The harm done to Uber's reputation by this breach is significant, but it is a particularly bitter pill for the company to swallow, considering its existing data security record.

In 2014, the company faced two data disasters. First, cybercriminals exposed the names and licenses of 100,000 drivers. Then the company acknowledged the existence of a software tool called "God View," which enabled employees to track customer locations in real time. Following these incidents three years ago, Uber entered discussions with the FTC and only reached an agreement in August 2017, stating that the company must submit to third-party audits every 24 months for the next two decades.

Even though Uber had already been censured about poor data management, it did not learn from its mistakes. Instead, it has taken the same route as many companies: assuming data breaches are something that happen to other businesses and that there is no immediate need to strengthen data protection measures.

In reality, online attacks are not isolated events, and attackers can target anyone, sometimes more than once. As digital transformation makes data essential to business and leisure, everyone — from the man on the street, to global businesses — is becoming a cybercrime target. For those who hold valuable insight, there is therefore an unavoidable responsibility to keep it secure.

This brings us to a key question: What can Uber and other companies do to own their responsibility while standing up against cybercrime? The answer involves adopting a detection and prevention-focused approach to security — one that takes the complicated nature of modern connectivity into account.

Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the office, employees can access company systems from anywhere using a variety of technologies from laptops and mobile to Internet of Things (IoT) devices. Consequently, networks are more flexible, but also more fragmented. This means that there is greater potential for attackers to find loopholes. To defend data, businesses must mitigate threats by constantly assessing every device on their network and deploying tools that can pinpoint and remove any suspicious activity.

Of course, establishing total control of systems is not a simple task — especially for large corporations with 40 million monthly customers such as Uber. But by deploying a continually risk-aware methodology, companies can ensure they are prepared for inevitable cyber challenges and demonstrate to their customers that they can be trusted with sensitive data. Indeed, if the statement issued by Uber spokeswoman Molly Spaeth is anything to go by, this is exactly the direction the company plans to move in: "We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers," she said in a statement.

Whether it is too late for Uber to save its reputation remains to be seen. The company has made definitive changes, such as firing chief security officer Joe Sullivan and hiring Matt Olsen, former general counsel at the National Security Agency. However, more than fresh leadership is required to restore its data credentials. As the myriad of legal suits leveled at Uber indicate, failing to take responsibility for data security has its consequences. Rather than scrambling to deal with attacks after the fact, Uber needs to focus on improving their detection and neutralization abilities — adopting tools that will help them work within data laws, not outside of them. 

Related Content:

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-5236
PUBLISHED: 2018-06-20
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.
CVE-2018-5237
PUBLISHED: 2018-06-20
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 could be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.
CVE-2018-6211
PUBLISHED: 2018-06-20
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi.
CVE-2018-6212
PUBLISHED: 2018-06-20
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect proc...
CVE-2018-6213
PUBLISHED: 2018-06-20
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account.