Ahead of GDPR: what can we learn from Uber’s data breach and its concealment?

Uber has come under fire (again) recently for the way it handled a data breach in October 2016. 

The breach saw 57 million customers’ data hacked, which included names, email addresses and phone numbers. The hackers also gained access to the names and license plate numbers of 600,000 Uber drivers.

Following the breach, Uber paid the hackers $100,000 (£75,500) to delete the data they’d stolen, and to keep the hack a secret. 

The hackers gained access to this data through Uber’s GitHub account – a site used to store website coding; in the GitHub code repository they discovered the username and password to Uber’s Amazon Web Services account, where all the user and driver data was stored. 

Uber might have evaded the law by not reporting this breach to the relevant authorities, as well as not informing affected customers and drivers that their data had been compromised. US, UK, Australian and Filipino authorities have announced investigations into this breach and the subsequent cover-up, although it’s unclear what retrospective action Uber might face; but under the General Data Protection Regulation (GDPR) due to come into effect in May 2018, the consequences for Uber would be dire.

GDPR is designed to protect consumers and individuals from the unlawful use of their data. Much of the coverage of GDPR focuses on data breaches, with the overwhelming message that businesses must put measures in place to prevent and report on cyber-attacks and data breaches. This message has arguably been hijacked to tell businesses that they’ll be fined for any breach. But it’s more nuanced than that.

Under the new law, businesses are required to put “appropriate measures” in place to protect the Personally Identifiable Information (PII) they hold. It’s yet to be seen whether Uber did this; we don’t know if this breach occurred due to a security flaw, or if Uber was “wilfully negligent”. Avecto’s Senior Security Engineer James Maude said of the login details being stored in GitHub: “a serious error on Uber’s part was storing the keys to its data store on a GitHub code repository which the attackers could access. 

“This is the digital equivalent of writing the password down on a bit of paper.”

Jeremiah Grossman, SentinelOne’s Chief of Security Strategy disagrees, arguing that "this is all too common on GitHub. It’s not a forgiving environment." He added: "Everyone makes mistakes. It’s how you respond to those mistakes that gets you in trouble."

It’s believed that businesses won’t be fined purely for experiencing a data breach. If they want to avoid the potential fine they need to provide the Information Commissioner’s Office (ICO) with sufficient proof that measures were taken to prevent breaches. Tools that analyse how the breach occurred in the first place will also come in extremely handy when reporting to the ICO, showing that businesses are taking the breach, and the security of their data, seriously.

When it comes to deciding on the figure of the fine – if a business is fined at all for a data breach – it is again believed that this is based on a number of factors. The first alleged aspect is whether or not Uber put appropriate security measures in place. The second is the nature of the data breached. Although Uber users have been advised to change their passwords immediately, there’s no evidence to suggest login details were obtained. Names, email addresses and phone numbers were compromised, which could easily identify consumers and also lead to illegitimate phishing phone calls and emails. Uber’s new CEO Dara Khosrowshahi stated there was no evidence of additional details, including date of birth and bank information, were accessed. This might ease consumers’ worries, as well as Uber’s; date of birth is considered more sensitive as it can easily identify a person, and is often linked to security questions.

Uber’s mistake largely lies in the cover-up. Not only is its failure to alert authorities a breach of the law in a number of countries it operates in, including 48 of the 50 US states, it would have the most serious repercussions under GDPR. It’s very likely that, had this happened post-May 2018, Uber would be facing the largest fine available - €20 million (£17.75 million), or 4% of global turnover – whichever figure is higher. Despite the fact Uber is American-owned and operates internationally, it would be governed by GDPR because it holds UK customer data.

Uber’s next grave error was choosing to pay the hackers off. It did so because the hackers agreed to delete the data and keep the breach quiet in return for payment; but are cyber criminals really the people you’d put your trust in? There’s no guarantee that the hackers did delete the data – despite Uber claiming it received reassurances on that – and a multitude of reputable sources, including law enforcement agencies, advise businesses to never give in to hackers’ demands. Not only are they untrustworthy and unlikely to keep their word – a third of UK businesses who have paid hackers who carried our Ransomware attacks never saw their data again – it also incentivises them to carry out further attacks. What’s more, Uber may open itself up to further cyber-attacks as hackers see it as a guaranteed payout.

Uber’s Chief Security Officer Joe Sullivan is no longer with the company following the hack, but that could be the least of the company’s worries with an expected slew of lawsuits in response to the cover-up. If there’s one thing businesses can take from this example ahead of GDPR, it’s to do the exact opposite of everything Uber has done.

Author bio: article provided by TSG, UK specialists in IT support and IT security for businesses.