Lessons From Uber: How NOT to Respond to a Cybersecurity Incident
After suffering a major data breach six years ago, you would think that a company like Uber would be ready for more cyberattacks, but here we are.
How did we get here? [insert flashback music]
It was late 2016. Cyberattackers quietly breached the security perimeter of Uber networks and accessed the personal data of 57 million riders and drivers, including 600,000 drivers’ license numbers. Instead of contacting authorities and alerting the users of this breach, the company decided to pay the attackers $100,000 to destroy the data. Technically speaking this is still considered a “ransom,” but it’s debatable because the computer systems were still working. Had the attackers been able to lock up the computers completely, the ransom would be more. The $100,000 is really more like extortion than ransom. Most importantly: Uber covered it up.
Fast-forward six years to Sept. 15, 2022. Uber announces the company is responding to a “cybersecurity incident.” Word quickly got out that the young hacker got into a company Slack, and by then, the adversary had already gained full access to the network, impacting the Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard, and they posted the vulnerability reports publicly. It had all the making of a classic Matthew Broderick movie, somewhere between Ferris and War Games.
On Sept. 19, 2022, right on cue, Uber posted an update regarding the security incident.
The blog-post-style update from Uber is fairly thorough and worth your time reading, but it lost “street cred” when it suggested that the hacker group Lapsus$ may have been responsible for the incident. From the website:
Who is responsible?
“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.”
The first problem with this statement is the word “believe.” It makes it sound like a theory or hypothesis, not true attribution. Uber did NOT say “the evidence strongly suggests…” Attribution of a cybercrime is actually a really tough thing to do, especially overseas. It’s easy to blame the same loosely organized group that hacked other big tech companies. People like to have someone to blame — right away — but what does the digital evidence really show? A false attribution of a cyber event could lead to defamation, and may also leave the actual attacker off the hook. It’s no different than being on the Gulf Coast and blaming everything on “the Devil.”
If you would like to step away from the Hollywood story and read what actually happened, this article does a great job with the timeline, based on crowdsourcing online researchers.
Meanwhile, back in court … Oh! Did I forget to mention that the former chief security officer (CSO) of Uber, Joe Sullivan, was convicted in a federal court for the 2016 data breach? Sullivan was convicted of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of a felony due to his attempted concealment of the breach.
Some are still criticizing how the court proceeding was handled. Should the company have been held more liable, rather than the individual? Granted, obstruction and concealing are indeed crimes, but should the company also be responsible for mishandling the situation?
There is no clear answer here, and the story is still playing out. The only thing we know is that people are being held accountable, and legislation is pending. Stay tuned for the next chapter.