Uber data leakage - learn from mistakes?
Uber Technologies Inc. I had to fire my security director and one and his deputies for helping to conceal information on data leakage, as a result of which hackers were able to gain access to personal data of 57 million service users and drivers working with it.
On November 22, 2016, the Bloomberg news portal published a message about the dismissal of Uber Security Director Joe Sullivan. Sullivan and his deputy, obviously, tried to hide the data leakage and the fact that the company paid $ 100,000 to those who claimed responsibility for the attack. As a result of their actions, Uber did not inform the regulator about the leakage of data, as required by state law and federal law.
Two attackers managed to access the closed Uber page on GitHub and use the resulting credentials to authenticate with the Amazon Web Services (AWS) account that the company used to process payments. Thanks to this, the attackers managed to get the names, email addresses and phone numbers of 50 million Uber users around the world. In addition, they managed to get access to personal data of 7 million Uber drivers, including 600 thousand state license plates.
')
Soon after, the attackers turned to Uber and demanded money from the company. Sullivan and his deputy arranged for the payment of the amount claimed and tried to hide the incident.
Dara Khosrovshakhi (Dara Khosrowshahi), the CEO of Uber, expressed his regrets about the leakage and the subsequent attempt of the company's employees to hide this leakage:
“All this should not have happened, and we have no excuse. And although I cannot erase the past, I can vouch on behalf of all Uber employees that we will learn from our mistakes. We change the nature of our business, ensuring the integrity and security of data when making any decision, and we make every effort to earn the trust of our customers. "
At the same time, Khosrovshakhi clarified that during the incident the company turned to the attackers and “received assurances” that they had destroyed the data. In this regard, Uber believes that there were no other abuses with data stolen as a result of a leak. In addition, Uber has taken a number of additional measures to protect its accounts used for cloud storage.
According to Jason Hart, vice president and technical director of data protection solutions at Gemalto, in this case, Uber could (and should) do something different:
In particular, in the data leak incident, Uber made the following 3 errors: the company needed to report a leak more quickly, use encryption technologies more efficiently throughout the entire data life cycle, and use access control technologies, including strict multifactor authentication technology.
The hitch with the publication of information about the leakage undermines the trust of users, and also contradicts the postulate that such leaks, as a result of which attackers gain access to personal data stored in the cloud, are inevitable.
The main task of the company in this case should not be to hide the fact of leaks, and, paradoxically, not even to prevent them.
The main thing is to make such leaks “safe” by using a more intelligent approach to security, where data is at the forefront. This approach implies that you have a complete idea of ​​where your important data is located, who has access to it, how it is transmitted, and when and where it is encrypted and decrypted.
All that had to be done in the case of Uber was to provide secure access to the data and encrypt it, and this is exactly what other organizations need to do in the future to avoid such incidents.
If a company wants to make more significant progress against data leakage, it should follow a new philosophy regarding data security.
For decades, the prevailing cybersecurity approach has been to create a so-called “security perimeter” around all data and networks that would prevent intruders from accessing these resources. This leakage prevention strategy has remained the cornerstone of corporate data security strategies for several decades.
The endless series of incidents observed today suggests that this approach is no longer successful, and today companies should turn to the philosophy of “safe the leaks” . This means that companies should recognize the inevitability of leaks and move security tools as close as possible to the protected data and to the users who work with them. This approach involves the use of encryption technology to protect all stored and transmitted confidential data, as well as secure management and storage of all your encryption keys, centralized control of access to all resources and the use of multifactor authentication.
By embedding security mechanisms directly into protected assets, you can ensure that even in the event of a leak, information will be protected from intruders.
On November 22, 2016, the Bloomberg news portal published a message about the dismissal of Uber Security Director Joe Sullivan. Sullivan and his deputy, obviously, tried to hide the data leakage and the fact that the company paid $ 100,000 to those who claimed responsibility for the attack. As a result of their actions, Uber did not inform the regulator about the leakage of data, as required by state law and federal law.
Two attackers managed to access the closed Uber page on GitHub and use the resulting credentials to authenticate with the Amazon Web Services (AWS) account that the company used to process payments. Thanks to this, the attackers managed to get the names, email addresses and phone numbers of 50 million Uber users around the world. In addition, they managed to get access to personal data of 7 million Uber drivers, including 600 thousand state license plates.
')
Soon after, the attackers turned to Uber and demanded money from the company. Sullivan and his deputy arranged for the payment of the amount claimed and tried to hide the incident.
Dara Khosrovshakhi (Dara Khosrowshahi), the CEO of Uber, expressed his regrets about the leakage and the subsequent attempt of the company's employees to hide this leakage:
“All this should not have happened, and we have no excuse. And although I cannot erase the past, I can vouch on behalf of all Uber employees that we will learn from our mistakes. We change the nature of our business, ensuring the integrity and security of data when making any decision, and we make every effort to earn the trust of our customers. "
At the same time, Khosrovshakhi clarified that during the incident the company turned to the attackers and “received assurances” that they had destroyed the data. In this regard, Uber believes that there were no other abuses with data stolen as a result of a leak. In addition, Uber has taken a number of additional measures to protect its accounts used for cloud storage.
According to Jason Hart, vice president and technical director of data protection solutions at Gemalto, in this case, Uber could (and should) do something different:
In particular, in the data leak incident, Uber made the following 3 errors: the company needed to report a leak more quickly, use encryption technologies more efficiently throughout the entire data life cycle, and use access control technologies, including strict multifactor authentication technology.
The hitch with the publication of information about the leakage undermines the trust of users, and also contradicts the postulate that such leaks, as a result of which attackers gain access to personal data stored in the cloud, are inevitable.
The main task of the company in this case should not be to hide the fact of leaks, and, paradoxically, not even to prevent them.
The main thing is to make such leaks “safe” by using a more intelligent approach to security, where data is at the forefront. This approach implies that you have a complete idea of ​​where your important data is located, who has access to it, how it is transmitted, and when and where it is encrypted and decrypted.
All that had to be done in the case of Uber was to provide secure access to the data and encrypt it, and this is exactly what other organizations need to do in the future to avoid such incidents.
If a company wants to make more significant progress against data leakage, it should follow a new philosophy regarding data security.
For decades, the prevailing cybersecurity approach has been to create a so-called “security perimeter” around all data and networks that would prevent intruders from accessing these resources. This leakage prevention strategy has remained the cornerstone of corporate data security strategies for several decades.
The endless series of incidents observed today suggests that this approach is no longer successful, and today companies should turn to the philosophy of “safe the leaks” . This means that companies should recognize the inevitability of leaks and move security tools as close as possible to the protected data and to the users who work with them. This approach involves the use of encryption technology to protect all stored and transmitted confidential data, as well as secure management and storage of all your encryption keys, centralized control of access to all resources and the use of multifactor authentication.
By embedding security mechanisms directly into protected assets, you can ensure that even in the event of a leak, information will be protected from intruders.
Source: https://habr.com/ru/post/344420/
All Articles