Uber, amirite?
Here’s the quick thirty-second post-vacation catch up for those (like me) that have been out of the loop because vacation. First, Uber got hacked, potentially exposing data from up to 57 million people. The data in play included driver license numbers, names, phone numbers, and email addresses.
Is that the most surprising thing in the world? Probably not. The breach is on the large-ish side, but certainly not the biggest one ever. Likewise, the data involved isn’t “super worst case scenario” like say, the Equifax breach. No, in this case the surprising parts are the timing and their reaction. Because first, it happened in 2016. Second, they apparently paid the hackers $100,000 to keep quiet about it.
To put icing on the already-ridiculous cake, its’ worth reading the blog post about the issue from Uber CEO Dara Khosrowshahi. Let’s walk through some of the high points. Why? As a cautionary tale. The level of ineptitude (note that I’m being generous in saying “inept” because the alternative is “legit evil”) is epic in scale. It’s also not likely to go away quickly (or cleanly) and will likely wind up resulting in long-term financial impact for Uber.
The statement starts out by saying that “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.” Let’s stop right there.
My questions about just this sentence are legion. First, “recently learned”? He’s been CEO of Uber since August. The fact that they lost 57 million records and then paid to cover it up just came up recently? I’m sure he’s being honest here… he probably is just hearing about it now. That’s not a good thing though. Like, if you were head of compliance or security for Uber, wouldn’t this be one of the first things on your docket to discuss with the incoming CEO? Yeah, me too. Which suggests to me one of a few things are true; either: A) security is so jacked at Uber that this didn’t rate as a top-tier issue, B) there’s high turnover and little recordkeeping (so everybody pretty much forgot it happened) or C) the CEO isn’t meeting directly with security or compliance teams. My suspicion is it’s a combination of all three. Someone suggested to me this morning that maybe internal Uber teams did know about it, but didn’t inform the CEO. That’s possible too. If that’s the case, its still really, really not good.
Second, who cares where the data was? The post mentions the cloud provider and then goes on to say, “The incident did not breach our corporate systems or infrastructure.” But really, who cares?
This fails what I like to call “the cat test”. Imagine you ask me to take care of your cat while you’re away on a trip. You come back and the cat died. Is my excuse one where you punch me in the face, one where I get arrested, or one where we’re still friends? I find that many issues can be understood by thinking through how it would play out in the cat-sitting scenario above. For example:
- Example one: I couldn’t feed the cat because I was in a coma from a brain aneurysm. You probably don’t love the consequences, but maybe we could stay friends. It’s force majeur… pretty much unavoidable even though the outcome is so terrible.
- Example 2: I was too lazy to do it, so I gave my cousin a bag of meth in exchange for him looking after your cat… he was high (because meth) so forgot to put out food. In this case, my actions were clearly illegal so the appropriate response is that I be arrested.
- Example 3: I accidentally pour tuna juice into the jar of rat poison I left open on your counter. That’s a face punch scenario: it’s not exactly illegal per se (negligent animal cruelty maybe?) but it’s absolutely my fault: my carelessness caused it.
In the case of Uber, it sounds to me like a “face punch” scenario. They apparently put their AWS credentials into code that they uploaded to GitHub. So the analogy to run through the cat test would be: I tied your apartment key to a string and left it tied around your doorknob; a band of local kids got in your apartment, trashed the place, and killed your cat. Were my actions illegal? No. But there wasn’t force majeur either. There’s exactly one entity at fault and one reason the situation occurred: willful carelessness.
Next, they go on to say:
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed…
Bah. Paying the bad guys money to destroy the data isn’t acceptable. Ever. This response is cavalier at best. What were the assurances they received? How do they know the data was destroyed? How were they able to trust these assurances? This is absolutely not the right way to go about this. And, as a steward of people’s data, this is exactly what breach disclosure notification laws are for.
The tone of the concluding paragraph is the right one though. They say:
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
I’m really glad they are not making excuses. The tone of this sentence is the right one. However, the cleanup of this mess is going to be a long row to hoe. I also question what the response of regulators is going to be and whether there will be legal action against them. I’m thinking there’s more to come on this.