The Uber data breach was a clear lesson in how NOT to handle a cyberattack. When the hackers contacted Uber by email, back in November 2016, they demanded a six-figure sum in order to destroy the wealth of data they’d stolen so news of the breach would quietly fade away once the bribe had been paid.
As opposed to dealing with the data breach in the appropriate way, Uber decided to pay-off the hackers and cover the breach up. A payment of $100,000 was reportedly made to the two hackers, and employees responsible for the security issue passed the whole thing off as a “bug bounty” program, which is where hackers are offered money to try and find weaknesses.
In reality, they were simply hacked, and Uber have not only paid the heavy price of the bribe, but also the cost of a handling the crisis thereafter.
Understandably, Uber has been slammed for its handling of the breach. They failed to appropriately disclose that the details of some 57 million customers had been compromised, and the breach also reportedly included license information for over half a million of their drivers.
Rather than doing the honourable thing and disclosing the breach, which is vital to ensure victims can prepare for the potential of being scammed, they instead hid the breach in efforts to cover it up.
As a result of their deception, it has cost at least one employee their job and has likely harmed Uber’s reputation. On top of that, government and intelligence agency probes have ensured Uber explains themselves and apologise for the way they handled the breach, which has turned into a serious crisis for the company.
Their efforts to pass the breach off as a bug bounty has been labelled as “morally wrong and legally reprehensible”.
We also understand that it wasn’t difficult for the hackers to break into Uber’s systems. They reportedly found legitimate access credentials on a storage area Uber engineers used on GitHub. The hackers then used the credentials to break into an Amazon cloud database they were using.
Organisations must never run from a data breach
Organisations must never run or shy away from a data breach. Although the first priority should be to ensure that servers and systems are safe and secure. If an organisation ever does fall foul of a breach, then victims should be informed as soon as possible in order to minimise any potential for scams and frauds to be committed using data stolen from a hack.
The Uber data breach and the way they mishandled the whole situation is the perfect example of how NOT to deal with a breach and how NOT to handle a cyberattack effectively.