Uber's New Management Reveals Security Breach of 57 Million Accounts, Ransom Payment, Concealment for Over a Year

By Matt Gross 

Uber revealed last week that the account details of 57 million people were stolen last year. As a high flying Silicon Valley startup and one of the fastest growing businesses in history, Uber might be expected to follow modern security practices. Instead, the scandal-plagued company has demonstrated failures in both security practice and security response.

The breach cleanup represents one of the early challenges for Uber's new CEO Dara Khosrowshahi. Khosrowshahi, who recently replaced controversial former founder and CEO Travis Kalanick, responded to the breach by firing Uber's chief security officer, Joe Sullivan, and publicly announcing the details of the event and cover up.

We now know that the breach occurred in October 2016 when hackers gained access to Uber files of personal data. The data stolen included 600 million driver's licenses and the names, email addresses, and phone numbers of 57 million users. The hackers contacted Uber to demand a ransom payment in return for the data.

One of the more questionable moves by former CSO Sullivan was the decision to pay the ransom. Most security experts, including the FBI, believe paying ransom is a bad idea. There is rarely any guarantee that the criminals will delete the data without keeping a copy of it. Paying ransom may also encourage other hackers to perform follow on attacks since ransom payments rarely stay secret among the dark webs of the hacking community. Significantly, it's a net loss for society too because it sets a dangerous precedent of financial incentive for cybercriminal behavior.

Some companies stay strong in the face of ransom demands. Last year a production partner of Netflix was hacked by a group called the TheDarkOverlord who stole a series of unaired episodes from Orange Is the New Black and other shows. They demanded 50 bitcoin (roughly $60,000 at that time) but Netflix didn't pay. The hackers released the videos online in retribution. Another brave institution was the Erie County Medical Center in upstate New York. When hackers took down their trauma center's computer system for six weeks, the staff managed to keep going with pen and paper. The hospital's CEO claimed, "This is a form of terrorism, these are criminals. In our case, we decided not to pay that ransom but make no mistake about it, this definitely affected our organization and it's going to cost us a lot of money in the long run.”

Other organizations give in and pay the ransom. Earlier this year, Alabama county officials paid as much as $50,000 to hackers after the county’s systems had been locked up and services impacted. In another example, a South Korean company paid 397.6 Bitcoin (about $1 million at the time) to recover data of 3,400 customers. And last year, Hollywood Presbyterian Medical Center paid $17,000 to unlock its data from hackers which had taken down their systems for 10 days.

The technical details of the Uber breach reveal big gaps in the company's security posture. The first mistake was a software developer at Uber revealed sensitive credentials in their code and uploaded the file to the company's source code repository at Github. The credentials were for Uber's hosting service at Amazon AWS. Such keys should always be guarded closely. With the keys to the kingdom in hand, the hackers accessed the Amazon AWS account and stole large amounts of personal data that Uber had collected on its users and its drivers.

Inadvertent sharing of credentials in source code is a frighteningly common problem and is often a red flag that deeper security problems are present. There a number of practices to avoid such a problem. One practice is to do automated scanning of the code repository for anything that looks like sensitive information. Another is to create many sets of credentials that are each severely limited in data access and can only be used in specific circumstances. Complementing these techniques is to keep credentials in a separate repository such as Amazon KMS with end-to-end encryption and in-memory storage.

In fact, Uber should have been prepared because they had made this mistake before. In 2014 a breach occurred due to a developer leaving an authentication key in code on Github that resulted in the theft of data on 50,000 drivers.

Another point of failure was Uber's inability to protect its source code. While it hasn't been published exactly how hackers gained access to Uber's Github repository, there are a few potential ways that hackers could have gained access. One possibility is that they took advantage of someone with access to the source code repository who had dangerously reused a password; reusing a password is risky because the password could have been revealed in some prior breach elsewhere. Or perhaps they stole the password through social engineering. For these failures, there are relatively straightforward security remedies. A source code repository should be set up with multi-factor authentication, ideally using a key fob or authentication app and not text messaging which is less secure. Additionally, employees and contractors should be required to use complex passwords which are unique and stored only in a password manager. And when an employee or contractor departs, a process should be in place to immediately revoke their access. To tighten the hatches still further, all employees and contractors should be trained in recognizing social engineering attacks.

While none of the security mistakes that Uber made are unusual among software developers, they are certainly dangerous. One would think a company of the size and valuation of Uber would hold themselves to a higher standard and a lower risk threshold.