Story image

Uber disguised breach ransom payment as a bug bounty reward

29 Nov 2018

£385,000 might be little more than a slap on the risk for Uber’s catastrophic data protection failings that caused cyber attackers to access the data of 2.7 UK customers and 82,000 UK drivers.

The Dutch Data Protection Authority Autoriteit Persoonsgegevens has also issued a fine of €600,000 to Uber, after 174,000 Dutch citizens were also affected by the breach.

But the breach reached much further than the UK and the Netherlands – more than 57 million Uber users worldwide were caught in the breach.

The UK Information Commissioner’s Office dealt the ruling this week. Director of investigations Steve Eckersley called it a serious failure of data security on Uber’s part, and a complete disregard for the customers and drivers whose personal information was stolen.

The breach happened between October and November 2016 when attackers used ‘credential stuffing’, a method in which usernames and passwords are cycled through until they find a match for an existing account.

The attackers were able to access customers’ full names, email addresses and phone numbers. Driver records, including details of their journeys and how much they were paid, were also stolen.

The attackers targeted a cloud-based storage system operated by Uber’s US parent company. They accessed more than 1000 S3 buckets and then demanded money to reveal how they had accessed the accounts.

They claimed they would not destroy the data until payment had been made.

But that’s not the end of the story – Uber then paid the attackers US$100,000 to destroy the stolen data. To try to legitimise the payment, Uber disguised the payment through a third party provider that administers Uber’s bug bounty programme.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” comments Eckersley.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

Not only did the incident breach principle seven of the Data Protection Act 1988, it also exposed drivers and customers to increased fraud risks.

According to The ICO Monetary Penalty Notice, Uber has since improved security measures including a new key management system for credentials that access S3; source code migration from GitHub to internal code repositories; the introduction of multi-factor authentication for programmatic service account access to the S3 datastore; and further work on two-factor authentication.

The Dutch Data Protection Agency says the fine was issued because Uber did not report the breach to the DPA within 72 hours after it was discovered. 

The Dutch regulator was the lead member of an international task force which included the ICO and which co-operated in investigating the effects of the incident in their respective jurisdictions.

Uber’s Q2 2018 financial results reported revenue of US$2.7 billion – a 51% increase since Q2 2017.
 

Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
Four ways the technology landscape will change in 2019
Until now, organisations have only spoken about innovative technologies somewhat theoretically. This has left people without a solid understanding of how they will ultimately manifest in our work and personal lives.
IDC: Top 10 trends for NZ’s digital transformation
The CDO title is declining, 40% of us will be working with bots, the Net Promoter Score will be key to success, and more.
Kiwi partner named in HubSpot’s global top five
Hype & Dexter is an Auckland-based agency that specialises in providing organisations with marketing automation solutions.
Moustache Republic expands Aussie presence with new exec
The Kiwi digital commerce partner has appointed a Sydney-based director to oversee the expansion of the company’s Australian footprint.
Epson’s new EcoTank range with two years printing per tank
With 11 new EcoTank printers that give an average user two years of printing and cost just $17.99/colour to refill, Epson is ready to change the game.
Te reo Māori goes global via language app called Drops
If you’re keen to learn a few words of Māori – or as much as 90% of the language, you may want to check out an Android and iOS app called Drops.
Reckon Group announces a steady profit in 2018
Reckon continued its investment in growth throughout the year with a development spend of $14.3 million.