A Canadian and an American have been in the back of the massive 2016 hack of Uber Applied sciences buyer information, the corporate’s CISO informed a U.S. Senate sub-committee Tuesday.
“I keep in mind that the unique person used to be situated in Canada, and that his spouse, who if truth be told received the knowledge, used to be in Florida,” John Flynn mentioned in a prepared statement to senators. “I additional keep in mind that the attribution crew made touch with each people and gained assurances that the knowledge have been destroyed.
“As you already know, Uber paid the intruders (US)$100,000 via HackerOne and our computer virus bounty program. Our number one objective in paying the intruders used to be to give protection to our customers’ information. This used to be no longer finished in some way this is in step with the way in which our bounty program in most cases operates, on the other hand. In my opinion, the important thing difference relating to this incident is that the intruders no longer best discovered a weak point, in addition they exploited the vulnerability in a malicious type to get right of entry to and obtain information.”
The breach used to be best came upon Nov. 14, 2016 when Uber’s safety crew gained emails from an nameless one that claimed to have accessed non-public information and demanded a
six-figure fee. Inside 24 hours, investigators discovered the knowledge got here from back-up information saved in a password-protected AWS S3 bucket. “We discovered that the intruder
discovered the credential contained inside of code on a personal repository for Uber engineers on GitHub, which is a 3rd birthday party web page that permits other folks to collaborate on code,” Flynn testified. “We in an instant took steps to put into effect multifactor authentication for GitHub and circled the AWS credential utilized by the intruder. In spite of the complexity of the problem and the restricted data with which we began, we have been ready to fasten down the purpose of access inside of 24 hours.”
However after paying the “computer virus bounty,” Uber stayed silent at the breach and didn’t notify shoppers. It used to be best a number of months later, after new management had taken over, that the CEO discovered of the breach and employed an outdoor company to analyze. It discovered the stolen information integrated data on roughly 57 million customers international, together with roughly 25 million customers in america and eight,000 in Canada.
For just about all customers, Flynn mentioned, the downloaded information integrated names, electronic mail addresses and get in touch with numbers. In some instances, the guidelines additionally integrated data gathered from or created about customers via Uber, reminiscent of Uber person IDs, positive one-time locational data (e.g., the latitude and longitude similar to the site the place the person first signed up for the Uber carrier), person tokens, and passwords encrypted the use of hashing and salting ways. Of the motive force accounts, roughly 600,000 thousand integrated motive force’s license numbers. There used to be no indication that shuttle location historical past, bank card numbers, checking account numbers, Social Safety numbers, or dates of beginning have been stolen, he added.
Nonetheless, the incident didn’t come to gentle till November, 2017, 11 months after the corporate knew about it.
Flynn repeated CEO Dara Khosrowshahi’s apology and mentioned “it used to be fallacious to not expose the breach previous. The breach must were disclosed in a well timed
means. The corporate is taking steps to make certain that an incident like this doesn’t occur once more, with team of workers adjustments and further remedial movements. We’re running to make transparency and honesty core values of our corporate.”
“We acknowledge that the computer virus bounty program isn’t an acceptable car for coping with intruders who search to extort finances from the corporate. The method that those intruders took used to be separate and distinct from the ones of the researchers within the safety neighborhood for whom computer virus bounty systems are designed. Whilst the usage of the computer virus bounty program assisted within the effort to achieve attribution and, in the long run, assurances that our customers’ information have been safe, on the finish of the day, those intruders have been basically other from official computer virus bounty recipients.”
Amongst strikes to extend safety, the corporate now not lets in builders to make use of GitHub excluding for posting pieces like open supply code. It has additionally expanded the usage of multifactor authentication protocols for AWS carrier accounts. and it has employed Matt Olsen, a former normal recommend of the Nationwide Safety Company and
director of the Nationwide Counterterrorism Heart, to assist construction the protection crew and put into effect new safety processes.
According to Security Week, Flynn’s boss, Uber leader safety officer, Joe Sullivan, and in-house attorney Craig Clark have been fired over their roles within the breach.
Sponsor: Micro Center of attention
Technology’s role in data protection – the missing link in GDPR transformation