Uber, ABC cloud data breaches put Australian companies on notice about cloud security

With breach-notification deadline nearing, Australian companies get a case study in poor cloud and breach management as OAIC investigates revelations the ride-sharing giant paid hackers to delete stolen data on millions of users and drivers

The security of data stored in the cloud has come under scrutiny yet again as Australian information commissioner Timothy Pilgrim commences investigating global ride-sharing giant Uber in the wake of revelations that the firm paid hackers $132,000 to delete the stolen personally identifiable information (PII) of 57 million of its users.

The revelations emerged as new Uber boss Dara Khosrowshahi, who replaced founder and former CSO Travis Kalanick after his departure in August, came clean about the company’s actions after a 2016 data breach in which two external individuals had accessed data stored on a third-party cloud service that the company uses.

Forensic analysis confirmed that the names and driver’s license numbers of around 600,000 US drivers, as well as personal information about 57m users – including names, email addresses and mobile phone numbers – had been compromised.

Khosrowshahi said he had moved proactively to address the issue, firing two of the security staff that led the response to the incident and engaging cybersecurity consultant Matt Olsen to revitalised the company’s cybersecurity response plans. Uber is also notifying all affected drivers and providing them with free credit monitoring and identity-theft protection, notifying regulatory authorities, and monitoring the affected accounts for fraudulent activity.

“None of this should have happened, and I will not make excuses for it,” he wrote. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

The severity of the incident was compounded amidst revelations that the company had paid $US100,000 ($A132,000) to the hackers to delete the data. This, compounding the seriousness of the breach and the potential repercussions if the PII is abused, suggest that the CEO’s mea culpa is only the beginning of what could be a trying time for the company.

Corporate cover-ups of often-serious data breaches are all too common, RSA APJ chief cyber security advisor Len Kleinman recently told CSO Australia while warning that “if you were involved in this space and managing incidents, you would be aghast at how much is actually kept quiet or swept under the carpets.”

“It seems like such a tragic loss not to use those breaches to tease out nuggets of gold and use them to improve your security posture and cyber resilience,” he added, emphasising the importance of a post-breach review that inevitably exposes shortcomings that must be quickly and effectively addressed.

Although the Uber breach likely has global implications, its potential effect on Australian users and drivers led Pilgrim to quickly make enquiries with Uber, his office said in a statement. Yet whatever comes of that investigation, Pilgrim – whose office will oversee the new Notifiable Data Breach (NDB) scheme from February 2018 – called the breach “a timely reminder to Australian businesses and agencies of the reputational vale of good privacy practice, and the reputational risks that can follow mishandling of personal data”.

Such mishandling can also create liability and employment risks for CISOs that are found to have failed to protect their company data, while data breaches have been linked to financial problems as share prices tumble and customers defect in the wake of such a compromise.

News of the leak comes on the heels of revelations the Australian Broadcasting Corporation accidentally exposed Amazon Web Services S3 bucket containing a large amount of user data – an error that also recently led to nearly 50,000 Australians’ PII being leaked online by a government contractor.

The common element of these breaches – use of a third-party cloud service – highlights the importance for companies to tightly control their use of such services, and to protect the data stored on them. Many companies continue to kick security own-goals through poorly-managed use of cloud services, with cloud-visibility tools surging in popularity as security managers learn the hard way that they can’t take cloud security for granted.

Many other companies are failing to properly protect their privileged access accounts to both cloud and on-premises services, leaving them exposed to compromise from hackers that use default passwords, or non-unique user passwords stolen from other services, to breach their systems.

Such poor practices contributed to the Uber breach, with Khosrowshahi saying that the company had “implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts”.

The unknown risk attached to cloud migrations recently saw them beat out compliance requirements or fear of a cyberattack as key motivators for boards to invest in cybersecurity. Potential exposure under the NDB scheme is only likely to exacerbate the concerns, with significant penalties for Australian companies that fail to protect customers’ PII or fail to quickly take appropriate steps after a breach.

The new legislation “is creating a sense of urgency that not only do companies need to operate in a timely and effective manner, but that they need to build a more risk-based, proactive resilience-based approach to cybersecurity,” Kleinman said.

“If we do use the NDB legislation and its reporting properly, I would say in the future we will gather better empirical data around incidents and breaches that will give you better quality statistics and trends around this – particularly around the government sector, which often seems to be a bit of a black box.”