Editor’s Note: This article was originally published November 22nd. The version below has been updated from the original.
EXECUTIVE SUMMARY:
Last week, we learned that the personal details of Uber’s 57 million customers and drivers had been stolen back in 2016. Worse yet, Uber kept it under wraps and paid the hackers $100,000 to destroy the data and make the problem go away. Adding to the Uber house of horrors story, it all comes down to cloud security failures that could have been avoided.
Breakdown
Uber’s failure to disclose the breach goes beyond non-adherence to best practice and veers toward the unethical. State and local laws mandate that when breaches occur, government agencies and the people affected must be notified. As a result of not complying with this regulation, Uber’s security chief has been ousted and at least one member of Congress is calling for a probe. According to Reuters, U.S. Representative Frank Pallone is urging the Federal Trade Commission (FTC) to immediately launch an investigation. Reuters also quoted Pallone as saying, “Congress can and should take action now to pass legislation that makes companies more accountable and provides meaningful protections for consumers.”
This is not the first time Uber has driven into a security and PR storm. Back in 2015 a breach with a similar cause was disclosed a year after it was originally discovered. The cause then, and on this occasion, was elementary and easily avoidable.
In addition to using GitHub to store source code, programmers at Uber used a GitHub repository to upload security credentials, the keys to Uber’s servers hosted on Amazon. Hackers then had only to find those keys to be able to take off with sensitive data: names, email addresses, and phone numbers of millions of customers worldwide; 600,000 U.S. drivers’ license numbers; and the personal information of about seven million drivers. Shockingly, none of this was encrypted or protected by anything more than a username and password. On the bright side, Bloomberg’s Eric Newcomer reports that Uber said no Social Security numbers, credit card information, trip location details or other data were taken.
Wrong Turn
There are several ways Uber could have prevented this attack. By using two-factor authentication, which GitHub now provides, an extra layer of security would have prevented the hackers from logging into their account. The use of SSH keys and the separation of login details and code would also have reduced risk. And, Uber could have limited access by implementing a software-defined perimeter (SDP) approach to the data itself. This would have required multiple identification factors to get to the data the hackers wanted to see. As a result, the breach would have been far less likely to occur.
In addition, as Check Point wrote in its blog earlier this year, breaches would be less common if organizations adopted the shared responsibility model and adhered closer to cloud security best practices. Relying blindly on a cloud provider’s security, can introduce a host of security issues. With a shared responsibility model, both organizations and their cloud providers adopt security measures to ensure customer data is stored and accessed securely in the cloud.
When the right cloud security technology is deployed, it can complement native cloud security controls to help organizations secure their workloads and applications running in cloud environments. This minimizes threats from breaches, data leakage, and zero-day threats, while also helping to regulate access and identity.
As ESG senior principal analyst Jon Oltsik says, “It’s not what you’ve known in the past. You have to adopt your processes; adopt your controls; and then develop a good model for monitoring in the cloud. Then, figure out how to link that to what you’ve done historically, because you don’t want to have to reinvent the wheel.”
Watch Jon Oltsik talk more about cloud security here.