Lawyer Monthly hears form Susan Hall, a Partner and specialist lawyer in intellectual property and information and communications technology at national firm Clarke Willmott LLP, who reacts to the latest news that Uber concealed a huge data breach affecting 57 million users and drivers in 2016.
The news that Uber suffered a substantial data breach last year, and subsequently concealed it from regulators and those affected is very worrying indeed but what I find the most important and interesting aspect of this is how the breach arose.
Hackers accessed Uber’s private development area within GitHub, an online resource for developers - they essentially went in through the tradesman’s entrance.
From here they were able to obtain authentication and login details for Uber’s Amazon Web Service (AWS) account, a cloud computing service used by Uber to store data for back-office software development. Once into AWS the hackers accessed a large cache of hosted driver and customer data and then blackmailed Uber with the threat to release this data.
There is a huge issue there and this particular method of hacking – a back office hack - is an important lesson in the dangers of using Cloud computing for IT development. There are two glaringly obvious questions – why was it possible to access Uber’s AWS account at all via its GitHub, and why was development apparently being carried out using ‘live’ rather than dummy data?
While the common weakness in most hacks is the human factor, it’s tempting to think of this as unsophisticated users falling vulnerable to people with much greater technical knowledge. This does not seem to have been the case here. It seems more likely to be a case of Uber’s IT developers being careless and making use of short cuts which exposed the company to the kind of security risks which occurred here.
I imagine Amazon Web Service may be looking at enforcing its own terms of use against Uber: typically a hosting services provider puts the onus on its customers to safeguard its logon information and passwords. AWS are presumably also looking to see whether this hack might have been used as a bridgehead for further attacks on other AWS customers.
By concealing the hack and paying off the hackers Uber breached US laws which require notification of people who are the victim of data compromises (similar laws will come into the UK in May 2018).
Furthermore, they impeded the ability of other organisations caught up in the hack to check how far their own systems had been compromised.