Uber Hack highlights the risks of cyber security box ticking

“The latest hack on Uber is a clear indication that businesses are still not taking a best practice approach to cyber security. Covering up breaches and paying ransoms is not what businesses should be doing, as it has a severe impact on the brand due to loss of consumer trust and encourages cyber criminals to continue to target businesses with ransom oriented attacks.”

“What’s even more worrying is a company of Uber’s size has been hit by what seems to be an unsophisticated attack. How the attackers gained the login credentials to access data stored on an Amazon Web Services (AWS) account, including the personal information of riders and drivers, was through tapping into third party systems. In this instance, it was GitHub (which is an online code repository), and then they used the login credentials, which were shared to other systems such as AWS, where the archive of sensitive information was found”

“These systems don’t tend to be covered in any risk audits because they are outside of the company’s network, but more often than not, this is how hackers infiltrate businesses. So, any business just ‘ticking boxes’ when it comes to cyber security and not going through rigorous auditing beyond standard penetration testing, will leave themselves open to this kind of attack.”

It has been advised that compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. Apparently no Social Security numbers, credit card information, trip location details or other data were taken.

“And, although no financial details were stolen, it’s still a pretty serious attack. Names, email addresses and phone numbers leave Uber’s riders or drivers (essentially all consumers of the service)susceptible to phishing attacks from these criminals. Driver’s license numbers is an even bigger issue, as this could quite easily lead to fraud and identity theft.”

“It’s an astonishing breach of its customers’ privacy and will hurt the brand.”

“There have now been a swathe of attacks resulting in data breaches, particularly targeting common cloud services platforms which are generally implemented with vendor default poor security controls. The fixes to these problems are normally very simple. They are just configurations that need to be improved to more secure settings. Organisations now need far more ongoing automated scanning and testing to determine if they are prone to such attacks.”

“This is why Australia is bringing in the Data Breach Notification Bill. However, we need to ensure this is properly enforced and not something that is loosely followed. If we are to take cyber security seriously, better transparency will not only help brands with their customers, as it shows they are acting responsibly, but will also help the security community work together to address these threats as a whole.”

Am I Safe?

“Although it hasn’t been reported whether Australian customers were affected, there are a few things you can do to increase your safety and ensure you're protected following this hack.”

“First, change your password and make sure it’s strong. Capitals, numbers, symbols, make it as complex as you can. Do not use the same password across different sites, particularly those that store your personal information or payment/bank information ”

“Secondly, keep an eye open for any suspicious emails, particularly from anyone pretending to be Uber or associated with the brand. These phishing emails are becoming harder to notice, as hackers are replicating company emails in a much more sophisticated way.”

“If there is an attachment, don’t click on it unless you definitely know the source. If it’s come from a company, try to navigate to the information through its website rather than through any email links or attachments. If you’re still not sure, the ACCC has a great website called ScamWatch, which has lots of information and can help you report any scams.”

-               Jason Edelstein, CTO of Sense of Security