Request Demo

NIST Cybersecurity Framework

What to Learn From Uber's 2016 Data Breach... That The Company Just Disclosed This Month


Just last week, Uber disclosed that hackers accessed the personal information of 57 million riders and drivers in October 2016, a breach it didn’t disclose publicly until November 21, 2017. This lack of Due Care and ethical process is making waves in the media as this incident adds a potential legal burden for the company.

What Happened?

According to the CEO of Uber, Dara Khosrowshahi, two hackers broke into the company in late 2016. Although there is no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded, the hackers were able to download files containing a significant amount of other information, including:

  • The names and driver’s license numbers of around 600,000 drivers in the United States.

  • Personal information including phone numbers, email addresses, and names of 57 million Uber users (drivers described above are included) around the world.

Khosrowshahi says hackers accessed the data through a third-party, cloud-based service. They found private authentication information that Uber engineers had accidentally exposed publicly on GitHub, a site many engineers and companies use to store code and track projects. The attack began when hackers got their hands on Uber user data stored on an Amazon server.

The $100,000 Payment to The Hackers

Law enforcement advises companies to not pay hackers and report breaches to the authorities whenever there is an attack. However, instead of alerting users and authorities, Uber paid the hackers $100,000.. perhaps to keep quiet and resolve the incident as quickly as possible.

The company’s failure to disclose the breach was very amateur. An Uber driver who has not yet to receive any communication from the company stated, “I found out through the media. Uber doesn’t get out in front of things, they hide them.” Just a small reminder that a data breach not only effects your business success in dollars, but also in reputation.

This incident didn't just upset riders and drivers. It will ultimately affect the company legally. There is no doubt that Uber will face possible consequences from both state and federal agencies, and it is going to be heavily fined for this incident. “Forty-eight states have security breach notification laws which require companies to disclose when hacker access private information,” including California, where Uber’s headquarters is located. Furthermore, the Uber breach affects non-U.S. users too, so it there could be some international consequences.

Uber’s Solution

According to Khosrowshahi, Uber is individually notifying the drivers whose driver’s license numbers were downloaded and providing these drivers with free credit monitoring and identity theft protection.

Here are some tips if you've been on Uber and want to reinstate your resilience in case your data was stolen, which you may never know.

As businesses leaders, what lesson can we learn from this incident?

Cybercriminals are always looking for vulnerabilities, and Uber clearly had some. The attackers used hardly a sophisticated process compared to other major cyberattacks that happened this year. Ultimately, it was the cause of a lack of Due Care and negligence.

At the same time, you could sympathize with companies who are carrying around such data that they're more attractive for cyber criminals. These questions arise..

How could they have had the visibility to look into their program and see every vulnerability? How could they have known that everyone in their organization was doing their job correctly? That human error was as reduced as possible? That they were following best practices? How could they have even known that what they were doing was best practice at all? As compared to what?

CyberStrong was created to solve each one of these questions.

CyberStrong provides visibility, reporting, measurement and mapping to the gold-standard NIST Cybersecurity Framework. Imaging having the ability to map your company's individual strategy to this massive set of best practices in just hours.. you can enhance the security and resilience of your organization as you receive recommendations for improvement based on cost-impact on your resilience, and make informed decisions based on your existing gaps. A risk-based approach, measure your risk and cyber posture continuously, day to day, and see your team in action to eliminate human error. Take advantage of an effective and specific solutions while retaining flexibility within your own program.

When it comes to cybersecurity, we all need to be proactive in our organizations for the sake of both our companies and our customers. At least for the sake of negative social implications, we don’t want another “Uber incident” to occur caused by vulnerabilities that could have been prevented.

Webinar: The Benefits of Cybersecurity Frameworks and Standards

Cybersecurity Influencers Give a Masterclass On the Use of Frameworks & Standards

Featuring the European Young Innovator of the Year 2017 Emerald de Leeuw

January 4th 2018 @ 12:00pm EST | 4:00pm BST



You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...