{"id":685,"date":"2017-11-27T19:00:33","date_gmt":"2017-11-27T19:00:33","guid":{"rendered":"https:\/\/securitycurve.com\/?p=685"},"modified":"2017-11-27T19:00:33","modified_gmt":"2017-11-27T19:00:33","slug":"the-uber-incident","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=685","title":{"rendered":"The Uber incident"},"content":{"rendered":"

\"\"<\/a>Uber, amirite?<\/p>\n

Here’s the quick thirty-second post-vacation catch up for those (like me) that have been out of the loop because vacation.\u00a0 First,\u00a0Uber got hacked<\/a>, potentially exposing data from up to 57 million people. The data in play included driver license numbers, names, phone numbers, and email addresses.<\/p>\n

Is that the most surprising thing in the world?\u00a0 Probably not.\u00a0 The breach is on the large-ish side, but certainly not the biggest one ever.\u00a0 Likewise, the data involved isn’t “super worst case scenario” like say, the Equifax breach.\u00a0 No, in this case the surprising parts are the timing and their reaction.\u00a0 Because first, it happened in 2016.\u00a0 Second, they apparently paid the hackers $100,000 to keep quiet<\/a> about it.<\/p>\n

To put icing on the already-ridiculous cake, its’ worth reading the blog post about the issue from Uber CEO\u00a0Dara Khosrowshahi<\/a>.\u00a0 Let’s walk through some of the high points.\u00a0 Why?\u00a0 As a cautionary tale.\u00a0 The level of ineptitude (note that I’m being generous in saying “inept” because the alternative is “legit evil”) is epic in scale.\u00a0 It’s also not likely to go away quickly (or cleanly) and will likely wind up resulting in long-term financial impact for Uber.<\/p>\n

The statement starts out by saying that “I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.<\/em>”\u00a0 Let’s stop right there.<\/p>\n

My questions about just this sentence are legion.\u00a0 First, “recently learned”?\u00a0 \u00a0He’s been CEO of Uber since August.\u00a0 The fact that they lost 57 million records and then paid to cover it up just came up recently?\u00a0 I’m sure he’s being honest here… he probably is just hearing about it now.\u00a0 That’s not a good thing though.\u00a0 Like, if you were head of compliance or security for Uber, wouldn’t this be one of the first things on your docket to discuss with the incoming CEO?\u00a0 Yeah, me too.\u00a0 Which suggests to me one of a few things are true; either: A)<\/strong> security is so jacked at Uber that this didn’t rate as a top-tier issue, B)<\/strong> there’s high turnover and little recordkeeping (so everybody pretty much forgot it happened) or C)<\/strong> the CEO isn’t meeting directly with security or compliance teams.\u00a0 My suspicion is it’s a combination of all three.\u00a0 \u00a0Someone suggested to me this morning that maybe internal Uber teams did know about it, but didn’t inform the CEO.\u00a0 That’s possible too.\u00a0 If that’s the case, its still really, really not good.<\/p>\n

Second, who cares where the data was?\u00a0 The post mentions the cloud provider and then goes on to say, “The incident did not breach our corporate systems or infrastructure.<\/em>”\u00a0 But really, who cares?<\/p>\n

This fails what I like to call “the cat test”.\u00a0 Imagine you ask me to take care of your cat while you’re away on a trip.\u00a0 You come back and the cat died.\u00a0 Is my excuse one where you punch me in the face, one where I get arrested, or one where we’re still friends?\u00a0 I find that many issues can be understood by thinking through how it would play out in the cat-sitting scenario above. For example:<\/p>\n