In a previous blog post, we highlighted the details regarding the recent Uber data breach, including the fact that Uber paid hackers to hide the breach. This is just one of several things that Uber got wrong in its response to the breach. What lessons can businesses take from this latest breach response?
Where Uber Failed In Its Response
Storing Sensitive Data in Repositories. Uber software developers stored sensitive login data on a third-party repository, Github. Developers often use Github and similar repositories as a way to collaborate on projects, track bugs, and distribute application versions.
Making the Same Mistake Twice. This recent breach wasn’t the first time that Uber data was accessed via Github. In 2014, hackers found a login key left in code that Uber’s developers publicly posted on Github, resulting in the theft of data on 50,000 Uber drivers.
Trusting in the Kindness of Hackers. Uber paid the hackers a $100,000 ransom for the data and required them to sign a nondisclosure agreement. Trusting in the kindness of hackers is probably not smart business sense. It creates other issues as well: to Democratic Sen. Mark Warner, the payment “thwarts law enforcement’s ability to bring criminal hackers to justice.”
Waiting to Announce. The data breach occurred in 2016. Waiting a year to announce the breach shows little regard for customers’ data and trust. Further, Uber also negatively impacted the employer-employee relationship by not properly safeguarding employee data (in this case, drivers’ license data). Legal requirements dictate quick notice as well. Forty-eight states have laws on their books that require companies to inform consumers promptly whenever their information has been stolen — and in many cases, the theft of Uber drivers’ license numbers would have required the ride-hailing company to make the breach public.
Lessons Learned for Businesses
Customer Perception Will Impact Your Business. Uber has been in the news this year, and many of the stories have been negative. How customers perceive an organization’s workplace environment, their treatment of employees, and their handling of customer data will, in many cases, impact how they vote with their wallets. One data point: after earlier bad publicity for Uber, 1010data reported that Lyft’s customer base grew 7 percent, and more than half of Lyft’s new riders had previously used Uber.
Security Awareness Is Everyone’s Job. It was easy for hackers to simply exploit the login credentials from a private GitHub coding site used by Uber software engineers, obtain access to Amazon Web Services, and then discover information on Uber drivers and guests. When it’s time for security awareness education, it might be tempting to skip your technical staff, such as software developers. After all, you might think, of all my employees surely my ‘techies’ get security! And, maybe, in most cases they do. But the Uber breach is proof of the need to take a role-based approach to security awareness. Whereas your software developers may not be using ‘12345678’ as a password, they may be less clear about what to store and not store in a repository such as Github. Passwords and private keys should not be included in posted code.
Prompt Detection and Response Are Critical. According to Gartner data, around 80% of 2016 security budgets were allocated to protection, while only 10% was allocated to detection and 10% was allocated to response. But prompt detection reduces the impact and cost of a data breach, and a quick and proper response will do much to maintain customer trust. To aid in breach detection, apply user activity monitoring software products to listen for threats and deliver alerts in order to prevent or mitigate breaches. Craft an Incident Response Plan that details the procedures to take in the event of a breach, the team who will be involved and their responsibilities, and the timeline for actions.
2017 Ponemon Cost of Data Breach Study: Analyzing the Research
Why Data Breach Lag Time Matters
The Negligent Insider: An Inside Look into Phishing Emails and Prevention
Data Governance Best Practices