Uber data breach - the industry reacts

Uber has become the latest major company to reveal a major data breach, having admitted today that it suffered an attack back in 2016 that may have leaked the details of 57 million of its users.

However the shocking part of the story is that Uber also admitted to paying a ransom to the agents behind the attack in order to keep the breach secret, raising questions about the company's overall security outlook.

But how has the security industry reacted to the news? ITProPortal collates the opinion of some of the leading minds in security today.

Chris Boyd, lead malware intelligence analyst at Malwarebytes 

"This breach is not only hugely aggravating for those affected, but also raises questions about the value of bug bounty programs. Companies have made large strides in trying to make bounty reporting, in general, a lot less like the 'Wild West', and something like this undermines those efforts. Especially when you consider many bounties pay out a lot less than the £75,000 Uber offered to hackers, plus including the chunk of taxes coming out of the bounty. 

Whilst not communicating a breach cannot be condoned, the upcoming GDPR will hopefully not only lead to better governance and protections, but also serve to reduce the stigma around hacks. So rather than just seeing headline-grabbing fines on a practical level we will also see big lessons learned by organisations. Ultimately, if businesses are afraid to come forward and admit a breach, how will we – as a society – ever learn from and beat the cyber miscreants?"

David Kennerley, director of threat research at Webroot

"Given the current climate around data security and breaches it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year. The fact is there is absolutely no guarantee the hackers didn't create multiple copies of the stolen data for future extortion or to sell on further down the line. 

A security breach of this size will potentially damage any business’ reputation, but how a company behaves following a breach is vital.  Potential victims deserve to be informed as soon as possible, so they can better protect themselves going forward - from changing passwords and being aware that they are now prime phishing targets. Being open and transparent and keeping customers informed is key, you can’t simply sweep these things under the carpet."

Chester Wisniewski, principal research scientist, Sophos 

“Uber's breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. 

I would say it feels like I have watched this movie before, but usually organisations aren't caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”

Rob Norris, VP head of enterprise & cyber security EMEA, Fujitsu

“Yet another company breach has made the headlines, and looks set to become this month’s – if not this year’s – biggest hacking story. This attack on Uber, the way the company handled it, and the customer reactions we’re beginning to witness offer crucial lessons for the way organisations approach cyber security – and the potential consequences when they get it wrong.

As attackers always have the initiative, even the best-run company could suffer from a hack or data theft. With GDPR coming in force in less than a year, companies need to be aware of all the channels cyber criminals can use to infiltrate the company and steal data, and take proactive steps to safeguard their main asset – data. The ripple effects of an attack no longer stay within the four walls of an organisation, and this the time businesses of all sizes must rethink their approach and stop flouting cybersecurity practices.”

Peter Carlisle, VP EMEA, Thales eSecurity

“Data breaches of this scale only compound the view that organisations’ reputations are as much negatively affected as their digital defences.

When millions of consumers are directly impacted on such a mammoth level, this only raises further questions about today’s tech giants who harbour inordinate reserves of data.

With the introduction of the EU GDPR on the horizon, the risk of heavy fines will be hanging over those organisations who fail to protect themselves appropriately against breaches, meaning that robust cybersecurity measures must be an absolute priority for today’s businesses.

Our own research has highlighted that half of UK consumers do not believe commercial organisations care about their digital privacy. Though Uber is headquartered in the US, incidents like this underscore this view and highlight precisely why data security methods must be watertight to mitigate the evolving threats posed by hackers.”

Dan Sloshberg, cyber resilience expert, Mimecast

“Uber had both the legal and social obligation to inform governments and customers of this attack, and the fact the company chose to pay hackers and hide the massive breach is shocking. Pretending that an attack hasn’t happened, or quietly paying attackers off only emboldens perpetrators further.

With the General Data Protection Regulation (GDPR) being enforced from May 2018, businesses must report personal data breaches within 72 hours and could face crippling fines much bigger than what Uber paid to hackers.

Businesses need to realise that the impact of breaches can be very serious - with knock-on effects on the organisation itself, employees and customers. To combat threats and ensure they remain compliant ahead of the GDPR, organisations must invest in minimising their risk with an appropriate cyber resilience strategy, incorporating advanced security, data protection and recovery, and business continuity.”