Uber reveals massive data breach.
Taxi-hailing company, Uber, has revealed that they concealed a hack that affected 57 million customers and drivers. The breach occurred in October 2016 and Uber paid hackers $100,000 to delete the data.
The hackers found 57 million names, email addresses and mobile phone numbers, Uber released a statement on their site. Within that number, 600,000 drivers had their names and license details exposed.
Sophos Principal Research Scientist Chester Wisniewski, “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually, organisations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts of the upcoming GDPR enforcement, this is just another development team with poor security practices that have shared credentials. Sadly, this is common more often than not in agile development environments.”
Although the company did not reveal the exact details of the hack, Bloomberg has reported that two hackers were able to access a private area of Github, an online resource for developers. The cybercriminals then seemed to have found Uber’s log-in credentials to Amazon Web Services (Amazon’s cloud computing service).
Uber set up a resource page for those affected has been set up and drivers have been offered free credit monitoring protection. But as of now, affected customers will not be given the same resources.
“Uber isn’t the only and won’t be the last company to hide a data breach or cyber attack. Not notifying consumers puts them at greater risk of being victimised with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure,” said James Lyne, Sophos cybersecurity advisor.
In January 2016 Uber was fined $20,000 for failing to promptly disclose an earlier data breach that happened in 2014.
Powered by WPeMatico