Uber is facing intense scrutiny from some cyber security experts, after admitting they paid hackers $100,000 to hide a massive data breach of over 50 million customers and 600,000 drivers.
“Paying the ransom and keeping it quiet for a year until new management has to deal with – probably not the best way to go about it,” Alex Heid, white hat hacker and chief research Officer at SecurityScorecard told The Daily Caller News Foundation. “New management is now faced with this, and this is just the incident they know about. There might be other skeletons in the closet that haven’t even emerged yet.”
Instead of notifying users and drivers of the hack right away, Uber sent out a notification saying only 50,000 drivers license numbers were compromised and didn’t make an effort to disclose the full effects of the breach.
“It was recorded in 2015 when this hack took place, but Uber said the hackers only got 50,000 drivers licenses and claimed to have mitigated it. But it’s turned out that same attack had a much larger vector,” Heid said.
Heid explained how Uber was careless with vital codes and ultimately allowed customers’ private information to get out into the open. Github, which is a public code repository service, is used by developers and corporations around the world. It’s a software used to store company computer codes.
Entities have the option of making those codes public or private on Github’s platform. Uber was not vigilant enough in securing those codes, and password credentials were made available to the hackers by mistake, according to Heid.
“What oftentimes happens is people using this type of a service will mix up the public and the private aspect and expose bits of code intended to be hidden. Oftentimes that code will have passwords and API keys that are released accidentally,” he said. “It gave enough authentic credentials for an attacker to take advantage of, and the attackers were able to reuse those credentials to access more proprietary information.”
“It’s up to the user to know how to use Github correctly,” Heid added. “At the end of the day everyone is going to be the victim of a cyber incident, but it’s the way a company responds that determines whether or not it’s a success or a failure.”
Brand and reputation management expert Eric Schiffer, is chairman of reputation management consultants and said if Uber doesn’t turn things around their image will continue to suffer while they lose customers.
“You can’t have errors like this, especially when you have such a strong competitor in Lyft,” he said. “It was an uber-level fail.” Schieffer thinks the company needs a more direct, personal touch to rebrand their image as a transparent enterprise.”
“They have clearly elected to just address this in the media, and that’s going to work with a certain portion of the public. But those that are savvier about these kinds of things, it’s not going to do enough,” he said. “The trust battle is an important one in this equation because you’re putting your life, in essence, in the hands of this company. The smartest brands care about trust building and therefore they’ll get in front of these situations.”
Guy Podjarny, CEO and co-founder of Snyk — a platform that finds and fixes vulnerabilities within companies using open source code — echoed the sentiment that everyone eventually gets hacked, and said it was Uber’s response that put them in hot water.
“No one is truly immune to vulnerabilities. The key question is what you do about it. And I think that’s where Uber failed,” Podjarny said. “That lack of transparency is something that is much harder to forgive.”
Podjarny said this won’t be the last time these hackers hold something over Uber’s head and warned users to brace for another breach down the road. “Hacks rarely occur in one fell swoop, They occur in phases. Is Uber going to be hacked again? Probably. The question is how much information will they be able to extract, and will the users be informed about it in time to protect themselves.”
Heid said one of the best ways users can protect themselves from being affected is password management.
“In addition to just changing your passwords for Uber, you should probably change your passwords for all of your services. I’d recommend using a password management service. There is one called KeePass, which is a free open-source tool. It’s an encrypted container that will manage all of your different passwords so you don’t have to remember all the different combinations. It can all be stored there.”
Heid added it’s only a matter of time before the hackers break their word and attempt to use the data against unsuspecting online users.
“For now the hackers are upholding the honor of their ransom and not releasing the data, but it’s just a matter of time before someone does start using it, and making use of passwords to take over customers Netflix or Spotify or Amazon accounts. In the future Uber needs to have rapid communication to all the effected enterprises,” he concluded.
TheDCNF reached out to Uber for comment, but did not receive a response in time for publication.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected]