Uber made headlines this week when representatives came forward to disclose that the company had experienced a massive ransomware attack last year. Over a year ago, hackers stole the account information of 57 million drivers and riders and Uber kept the news under wraps ever since paying the $100,000 ransom.
The ransom deal was struck under the direction of Uber’s Chief Security Officer, Joe Sullivan – the former CSO for Facebook and an IT industry giant. Sullivan claimed he orchestrated the deal on the orders of the former Uber chief executive, Travis Kalanick. Sullivan has since been fired and Kalanick was ‘phased out’ in June, but remains on Uber’s Board of Directors.
The details of the attack remained hidden until Tuesday when the ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices. The hackers stole the account data of over 57 million people, including Uber riders and employed drivers.
Stolen account information included phone numbers, email addresses, and names and was stolen by hackers from a third-party server. Once the data was breached and stolen, the criminals then approached Uber and demanded the $100,000 ransom to delete their copy of the data.
It’s pretty clear that Uber did not respond to the hack correctly or even ethically, for that matter. In fact, the way they responded bordered on downright illegal. To learn from Uber’s mistake, let’s take a look at the key failures in Uber’s response to the hack:
They paid a huge sum of money to organized criminals:
As soon as the hack was discovered, Uber executives made the decision to pay the ransom quickly and conceal the breach. This goes against the warnings of countless cybersecurity experts who have continually emphasized the importance of not paying off ransomware criminals to cover up a breach or restore data access.
The FBI echoed these warnings in a 2016 statement. Additionally, many states have explicit laws insisting that companies disclose any and all breaches that occur in a timely fashion. Kevin Beaumont, a cybersecurity specialist based in Britain, says that this kind of breach response connects companies directly with criminal activity.
“Companies are funding organized crime, and an industry of criminals is being created,” Beaumont told the New York Times. “The good guys are creating a market for the bad guys. We’re enabling them to monetize what years ago would have been teenagers in bedrooms breaching companies for fun.”
They put their reputation before security & integrity:
Not only did Uber submit to hacker demands, they went a step further. The company tracked down the hackers, forcing them to sign nondisclosure agreements. To further cover-up the damage, Uber executives made the ransom payment appear as if it had been part of a deliberate “bug bounty” — a common practice drill among tech organizations in which they pay hackers to attack their software and identify vulnerabilities.
The handling of the breach and the corresponding cover-up attempts demonstrate the extent to which executives were willing to go to protect Uber’s $70 billion reputation and business. Executives put the reputation of the company before the security of data and the trust of customers. Even worse? The New York attorney general’s office said on Tuesday that it had opened an investigation into the matter to determine if state or federal laws were broken in the handling of the breach.
They set a dangerous precedent:
Perhaps the worst part about Uber’s handling of the breach was the fact that they set themselves and other American companies up for even greater risk. By crumbling to hacker demands, Uber has set a dangerous precedent that American companies will pay huge amounts of money to avoid losing data or going public with a breach.
Because business executives are more concerned about reputation damage than the actual breach itself, a market is being created for cybercriminals. They’ll go for big companies, holding sensitive data and steal massive amounts of it, hoping that companies will respond like Uber and try to save face by paying up and sweeping things under the rug.
Uber is now scrambling to address the breach cover-up and has been working to restructure their executive team and operational strategy. Dara Khosrowshahi was chosen to replace Kalanick as Uber’s chief executive in August and released a statement saying he only recently was made aware of the hack.
“None of this should have happened, and I will not make excuses for it,” Mr. Khosrowshahi said in an Uber blog post. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber has also hired Matt Olsen, former general counsel at the National Security Agency (NSA), as an adviser, tasked with reorganizing the company’s security team. Uber has also retained Mandiant, a leading security firm, to conduct an independent investigation of the security breach. However, many believe that the damage is done, and Uber officials are aware of the very long road they face to restore customer trust.
The scary thing is, the Uber hack isn’t even the most serious exposing of sensitive customer information recently. Yahoo experienced not one, but two breaches in 2016 that was much larger than the Uber hack. Additionally, Equifax – the consumer credit reporting agency – were recently subject to a massive attack as well, which saw the personal data of over 140 million clients stolen.
This recent Uber hack wasn’t their first time around the block, either. In May 2014, the company was hit by a smaller attack – an event Uber discovered later that year and disclosed in February 2015. In that attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.
The lessons business owners should take from the Uber hack are two-fold. First, no matter what you do – never pay off ransomware hackers. No matter how bad the potential damage to your corporate reputation might be, it’s not worth engaging with criminals and can make the problem much worse. Not to mention, you’re not even guaranteed to get your data back when you pay up.
Second, implement a detailed and dynamic cybersecurity plan – based on compliance standards and industry best practices. Your company’s cybersecurity strategy should include detailed breach-response plans that can be executed seamlessly in the face of an attack. Response plans should be based on integrity and transparency and should be designed based on PCI compliance standards.
“The Uber hack teaches an important lesson: PCI standards are a minimum,” says Natan Bradbury, a cybersecurity specialist out of the DFW Metro Area. “There’s no question – best practice should always be the rule of thumb by which organizations conduct themselves.”
No matter the size or industry of your business, the worsening cybercrime climate leaves every business at increased risk. Developing strong lines of defense and response plans to maintain organizational integrity are crucial to remaining a trusted and successful player in the modern marketplace.
If your PCI compliance strategy is lacking or if you’re feeling unprepared for potential attacks, it’s time to get proactive. If you’re not sure where to start, reach out to a local team of technology experts for guidance. Cybersecurity specialists can help ensure your company avoids Uber-style disasters.