Attacks/Breaches

2/6/2018
07:23 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
0%
100%

Uber's Response to 2016 Data Breach Was 'Legally Reprehensible,' Lawmaker Says

In Senate hearing, Uber CISO admits company messed up in not quickly disclosing breach that exposed data on 57 million people.

A senior US lawmaker Tuesday slammed ride-hailing giant Uber for not promptly disclosing a November 2016 breach that exposed personal data on 57 million people, choosing instead to pay $100,000 to keep the two perpetrators of the theft silent.

At a hearing before the Senate Committee for Commerce, Science & Transportation, Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."

Uber's payoff violated not only the law but also the norm of what should be expected in such situations, Blumenthal said. "Drivers and riders were not informed and neither was law enforcement. In fact, it was almost a form of obstruction of justice."

Uber CEO Dara Khosrowshahi last November disclosed that the company had a year ago quietly paid two hackers $100,000 to destroy data they had stolen from a cloud storage location. The compromised data included names and driver's license information for some 600,000 Uber drivers in the US, and also the names, email addresses, and cellphone numbers of some 57 million Uber riders and drivers worldwide in total.

Khosrowshahi claimed he learned of the data breach and the payoff only just prior to disclosing it and vowed to make changes to ensure the same lapse would not happen again. He also disclosed that Uber had fired CISO Joe Sullivan and another executive who had led the response to the breach.

In testimony before the Senate Committee Tuesday, Uber CISO John Flynn admitted the company had made a mistake in not disclosing the breach in a timely fashion. But he claimed the primary goal in paying the intruders was to protect the stolen data.

"I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier," Flynn said. There is no justification for Uber's breach notification failure, Flynn candidly admitted. "The real issue was we didn't have the right people in the room making the right decisions."

According to Flynn, Uber first learned about the breach on November 14, 2016, when one of the attackers sent an email informing the company that its data had been accessed. The attacker demanded a six-figure ransom payment for not leaking the data.

Uber security engineers were quickly able to determine the thieves had accessed copies of certain databases and files stored in a private location on Amazon's AWS cloud.

The attackers had apparently managed to gain access to the data using a legitimate credential that they found within code on a repository for Uber engineers on GitHub. The discovery prompted Uber to take immediate measures like implementing multifactor authentication on Github and across the company and adding auto-expiring credentials to protect against similar attacks.

In response to questions, Flynn admitted that Uber's decision to pay the $100,000 ransom amount, as a bug bounty, was a mistake as well. Like many other companies, Uber runs a vulnerability disclosure program that offers cash rewards to white-hat hackers who find and report exploitable security bugs in its services. HackerOne has been managing Uber's bug bounty program since 2018.

Blumenthal and Sen. Catherine Cortez Masto (D-Nev.) wanted to know why Uber had decided to pay the attackers the demanded $100,000 in the form a bug bounty. Both lawmakers pointed out that the actions by the two individuals was criminal in nature and not something that anyone would consider as responsible bug disclosure activity.

"The key distinction is they not only found a weakness but also exploited it in a malicious fashion to access and download data," Blumenthal noted. "Concealing, it in my view, is aiding and abetting the crime."

Masto expressed some incredulity that Uber would try to point malicious attackers to its managed bug bounty program in the first place. "So there was a criminal element trying to get into your data...and you are trying to put them on the right path?" she asked.

Flynn admitted that the intruders in this case were fundamentally different from usual bug hunters. He claimed that Uber decided to use the bug bounty program only as a means to gain attribution and assurances from the attackers. "We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he noted.

Casey Ellis, founder of managed bug hunting service Bugcrowd, said today's hearing shines a spotlight on the ethics of Uber's response. "This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/8/2018 | 10:55:32 AM
The facts are enough
The actions and inactions of Uber speak for themselves.  Sadly, congressional hearings have become less about fact-finding, than serving as a stage for politicians to coddle or condemn witnesses, in order to impress their constituencies, or further a partisan agenda.  Authors would be wise to filter the facts from the commentary and posturing.    

"---  Sen. Richard Blumenthal (D-Conn.) described Uber's action as "morally wrong and legally reprehensible."  ---"

As sound as the accusations against Uber may be; find a better judge of what is "moral" than CT's senator; his moral compass infallibly points in the direction of the TV cameras, and spins away from ever pointing out his own failures of judgement, or those of his compatriots.  [lifelong CT resident - unaffiliated voter]
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...