You Can’t Outsource Accountability: Uber Breach Highlights Firms’ Cloud Security Responsibilities

by Bharat Mistry

Consumers and cybersecurity professionals around the world have been stunned by Uber’s revelation that it paid hackers $100,000 to delete data on 57 million users stolen last year. There are many strands to the case, and more details are likely to emerge over time. But fundamentally it highlights the need for firms to secure their cloud environments as rigorously as anything on premise.

With the EU GDPR promising huge fines for firms that fail to suitably protect customer data, companies must realise that when it comes to the cloud, you simply can’t outsource accountability.

What happened?
Uber was attacked in “late 2016” and the names, email addresses and mobile phone numbers of 57 million users — including seven million drivers — were compromised. Driver’s licenses belonging to 600,000 US drivers were exposed as part of the breach, according to CEO, Dara Khosrowshahi. There remain plenty of question marks: most notably, whether the hackers have held their word and destroyed all the stolen data; and whether they only took names, emails, phone numbers and driver’s license details.

The attack itself took place after two individuals managed to access a private GitHub account being used by Uber engineers. According to Bloomberg, they found Amazon Web Services (AWS) log-ins there and promptly used them to access the AWS Uber account, eventually finding the trove of rider and driver info in the cloud.

Shared Responsibility
This leads us to a number of conclusions:

  • Static password-username combinations should never be used to protect such highly sensitive data
  • Companies should always inform the relevant local authorities as soon as possible after a breach and;
  • Never pay a ransom or similar to the hackers
  • Most importantly, firms must properly secure their cloud environments

In his statement, Khosrowshahi claimed that following the hushed-up incident last year, Uber “implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts”. Presumably this involved migrating them to some form of multi-factor authentication and to institute a policy of least privilege. However, these are best practices which should have been in place from the very start.

Why did Uber not properly secure its cloud environment? We might find some clues from Khosrowshahi himself:

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”

This statement is somewhat troubling in that it tries to draw a distinction between the firm’s own infrastructure and its AWS account. In reality, cloud services adopted by businesses automatically become a part of their corporate infrastructure and therefore must be secured as rigorously. AWS makes very clear that the Shared Responsibility model means it will only take care of the hardware, software, networking, and facilities that run AWS Cloud services — “security of the cloud”. The rest, including customer data and applications, is the client’s responsibility.

GDPR calling
It’s unclear exactly how much Uber would have faced in GDPR fines, had the incident occurred after 25 May 2018. We do know that failure to report a serious breach incurs a fine of €10m or 2% of global annual turnover. Judging by Uber’s 2016 revenue, this could have resulted in a fine of around $130m straight off the bat.

The firm’s apparent failure to follow industry best practices in terms of access controls and securing its cloud environment could have led to even bigger fines. For any watching IT or business leaders the message is clear: using cloud services doesn’t mean you can forget about security — far from it. In fact, it requires an even more detailed approach to ensure no personal data stored anywhere is left exposed to potential compromise.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *