Endpoint

1/4/2018
02:00 PM
Kirsten Bay
Kirsten Bay
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Uber's Biggest Mistake: It Wasn't Paying Ransom

Rather than scrambling to deal with attacks after the fact, companies need to focus on improving detection capabilities with tools that help them work within data laws, not outside of them.

Uber has discovered that when it rains, it really pours. Since Bloomberg broke the news that the ride-hailing giant had suffered a massive breach of more than 57 million customer and driver records, it has been hit with three lawsuits and five independent investigations from the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois. And that's not to mention increased scrutiny of its practices by the Federal Trade Commission (FTC).

So far, media coverage has focused on Uber's decision to pay the attackers $100,000 in return for restoring the deleted the data and the company's yearlong concealment of the incident. Some industry pundits have suggested this type of response to attacks is helping fuel cybercrime. But focusing on the sensational aspects of the story alone obscures a much bigger, industry-wide mistake: the failure of companies to accept responsibility for keeping data safe because of a management perception that cyberattacks "happen to someone else."

Follow the Data
Paying for stolen data to be returned is not necessarily bad. In fact, it is not dissimilar to what many firms do to outsmart criminals; they purchase the latest malware in order to identify its exploits and defend against them. Incurring a cost to secure the data was a vital part of Uber's damage control strategy.

That said, allowing the damage to occur at all was where the company went wrong. Because data flow was not accurately monitored, attackers were able to go unnoticed while they stole millions of customer names, email addresses, and phone numbers, as well as the details for half a million US drivers, without being caught.

The theft highlights the importance of robust and fast detection in limiting the damage caused by attackers. Research that Cyber adAPT commissioned with Aberdeen Group shows that rapid attack detection can limit the business impact of breaches by 70% on average. With better detection procedures, Uber could have limited the flow of data to attackers, notified regulators faster, and avoided a substantial media storm.

Ignoring Data Responsibility
The harm done to Uber's reputation by this breach is significant, but it is a particularly bitter pill for the company to swallow, considering its existing data security record.

In 2014, the company faced two data disasters. First, cybercriminals exposed the names and licenses of 100,000 drivers. Then the company acknowledged the existence of a software tool called "God View," which enabled employees to track customer locations in real time. Following these incidents three years ago, Uber entered discussions with the FTC and only reached an agreement in August 2017, stating that the company must submit to third-party audits every 24 months for the next two decades.

Even though Uber had already been censured about poor data management, it did not learn from its mistakes. Instead, it has taken the same route as many companies: assuming data breaches are something that happen to other businesses and that there is no immediate need to strengthen data protection measures.

In reality, online attacks are not isolated events, and attackers can target anyone, sometimes more than once. As digital transformation makes data essential to business and leisure, everyone — from the man on the street, to global businesses — is becoming a cybercrime target. For those who hold valuable insight, there is therefore an unavoidable responsibility to keep it secure.

This brings us to a key question: What can Uber and other companies do to own their responsibility while standing up against cybercrime? The answer involves adopting a detection and prevention-focused approach to security — one that takes the complicated nature of modern connectivity into account.

Completing the Protection Puzzle
Traditional network boundaries are changing. No longer confined to the office, employees can access company systems from anywhere using a variety of technologies from laptops and mobile to Internet of Things (IoT) devices. Consequently, networks are more flexible, but also more fragmented. This means that there is greater potential for attackers to find loopholes. To defend data, businesses must mitigate threats by constantly assessing every device on their network and deploying tools that can pinpoint and remove any suspicious activity.

Of course, establishing total control of systems is not a simple task — especially for large corporations with 40 million monthly customers such as Uber. But by deploying a continually risk-aware methodology, companies can ensure they are prepared for inevitable cyber challenges and demonstrate to their customers that they can be trusted with sensitive data. Indeed, if the statement issued by Uber spokeswoman Molly Spaeth is anything to go by, this is exactly the direction the company plans to move in: "We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers," she said in a statement.

Whether it is too late for Uber to save its reputation remains to be seen. The company has made definitive changes, such as firing chief security officer Joe Sullivan and hiring Matt Olsen, former general counsel at the National Security Agency. However, more than fresh leadership is required to restore its data credentials. As the myriad of legal suits leveled at Uber indicate, failing to take responsibility for data security has its consequences. Rather than scrambling to deal with attacks after the fact, Uber needs to focus on improving their detection and neutralization abilities — adopting tools that will help them work within data laws, not outside of them. 

Related Content:

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.