Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

11/22/2017
10:30 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Uber Loses Customer Data: Customers Yawn & Keep Riding

Uber's latest breach revelations offer lessons in how not to respond to a breach. Is it a good thing, or a bad thing, that customers don't seem to care?

On Tuesday, Uber CEO Dara Khosrowshahi issued an apologetic company blog post announcing that he had only recently learned of an October 2016 data breach in which hackers obtained approximately 57 million Uber users' names, email addresses, mobile phone numbers, and (in the case of US drivers) drivers' license numbers.

Even more distressing than the company's 13-month delay in reporting the breach is that the company's security team, led by outgoing CSO Joe Sullivan, reportedly covered up the hack to prevent discovery by regulators -- going so far, the New York Times reports, as to get the hackers to sign a nondisclosure agreement. In perpetrating the coverup, Uber apparently paid the hackers $100,000 ransom -- disguised as a "bug bounty" -- to get the hackers to delete their copy of the stolen data. (How Uber executives could possibly confirm that the hackers ever did delete all of their copies of the stolen data is an unanswered question.)

Khosrowshahi did not take the company reins until September of this year; the breach took place during the tenure of Khosrowshahi's predecessor, Travis Kalanick. Kalanick departed in disgrace following allegations of a culture of sexual harassment and misogyny at Uber. Indeed, the news of this hack -- and its attempted cover-up -- is only the latest scandal of many to rock the beleaguered ride-sharing company -- and each such scandal has been worse than the last.

In November 2014, super-VC Peter Thiel criticized Uber's business tactics as too risky, calling it "the most ethically challenged company in Silicon Valley." It's not hard to see why when examining some of its biggest known data-protection failures:

Actually bad security
The most recently revealed hack is not the first significant data exposure the company has suffered. Two years ago, a major bug in Uber's "Uber Partner" app accidentally exposedseveral items of personal information and documents belonging to hundreds of Uber drivers (as many as 674) -- including social security numbers, driver's licenses, tax forms and taxi licenses.

Nor is the "new" hack even the first data breach that Uber has hidden from the public. In September 2014, the company discovered that details of the names and driver's license numbers of 50,000 Uber drivers had been stolen four months prior after an Uber engineer publicly exposed users' details on GitHub in May 2014. Uber failed to publicly disclose the breach until February 2015; the company got slapped with a $20,000 fine by the state of New York for the delay.

According to FTC filings, Uber has overpromised on security to its users while failing in the past to properly protect user PII (personally identifiable information) stored in its AWS S3 buckets. For these reasons and more (such as some of the items below), the FTC issued a consent order against Uber this past summer -- directing Uber to clean up its act and be subjected to FTC oversight over the next 20 years.

God Mode: spying on users for fun and profit
Technical security isn't Uber's biggest data-protection sin; that would be Uber's data-protection culture.

To understand just what Uber thinks about the sanctity of user data, consider "God Mode" -- an internal tool that Uber has had since its early days. God Mode reportedly has allowed employees to access granular data on individual Uber riders and drivers, autonomously and without oversight, for any "flims[y]" reason they deemed fit -- including spying on celebrities and politicians, stalking exes, or just for the fun of it (such as to provide entertainment at a company party).

On this latter point: In a March 26, 2012 company blog post titled "Rides of Glory," Uber's then data evangelist Bradley Voytek presented data analysis of Uber riders' activities in six major US cities between 10 p.m. and 4 a.m. on Friday and Saturday nights to extrapolate details of their probable one-night stands. While there is no evidence to suggest that Voytek/Uber used God Mode instead of scrubbed and anonymized data to conduct this analysis, after an Uber executive suggested snooping into the personal lives of reporters who criticize the company, Voytek's cheeky data-nerd pabulum brought heaps of negative attention to Uber regarding just how much personal information the company may know about its users.

Sometimes, God Mode was used simply to impress. In a spate of fantastically colossal naiveté during a set of interviews three years ago, Uber's then New York City general manager Josh Mohrer revealed to Buzzfeed reporter Johanna Bhuiyan that he had repeatedly pulled her Uber ride data (via God Mode, presumably) -- failing to appreciate the natural implications of revealing to a reporter on the record that he had violated her data privacy without her prior knowledge or consent.

Worse, Uber's obsession with hoarding user location data has gone beyond actual Uber rides. Last year, Uber released an update that began tracking users' locations for at least five minutes after their Uber ride had actually ended (if not constantly). After loud and sustained public outcry, the company finally did away with the "feature" in an update less than three months ago.

Flouting the rules
God Mode wasn't the only uber-powerful data tool Uber wielded. Collecting data via a variety of ingenious high-tech and low-tech stalking measures, Uber identified phones belonging to code-enforcement officers and other government authorities in cities it was barred from operating in. From there, the company's app used a tool called Greyballto serve a fake version of the app with "ghost" cars to suspected law-enforcement authorities. This was part of a program called VTOS -- short for (I am not making this up) "Violation of Terms Of Service".

Similarly, close to three years ago, Apple caught Uber red-handed tagging and identifying any iPhone that had ever installed the Uber app -- even if the app had since been deleted (and trying to hide the evidence from Apple's engineers). Apple CEO Tim Cook summoned Kalanick to his office in and told him to cut it out, lest he see the Uber app removed from Apple's "walled garden" App Store.

But it's so easy!
In short, when it comes to caring about users, Uber (Kalanick's Uber, anyway) has been a Saturday morning cartoon supervillain -- and it remains to be seen how the company will change under Khosrowshahi beyond his grand apology tour (which is itself not particularly new for the company).

That said, while we can sit back and throw squishy tomatoes at the easy target of Uber all day long, we miss a more important detail in doing so: that the company has millions of user records -- and, thus, millions of users -- to be compromised to begin with.

13 months ago, Uber boasted 40 million active riders each month (to say nothing of drivers). Analysis by software engineer Aaron Yip suggests that those numbers have barely suffered at all despite the company's numerous scandals. Uber has shown itself to be the fox to your data's henhouse -- and still the company attracts and retains loyal users.

The security lesson: Usability and accessibility thrive. Always. Bad security and privacy practices may put a dent in adoption, but we live in a society that is actively pursuing the technological means to potentially subjugate and destroy itself -- all in the name of simplicity.

Lay users are so often confused and frustrated with cybersecurity obstacles that they wind up drastically putting their own data at risk in favor of accessibility. It's true of their password and authentication choices, and it's true of their choices of platform and technology. The word is out that Uber is terrible. Uber's users don't care -- because Uber is terrific in the one area that matters: making life easier. (See Common Sense Means Rethinking NIST Password Rules and Personal Security Begets Enterprise Security.)

Consequently, InfoSec professionals are the ones who must learn from Uber's continued success in the face of its still-awful track record for data protection. No amount of education will completely save users from themselves. Accept it.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.