Two years back, Uber suffered a massive data breach that exposed a mammoth database to hackers. However, Uber preferred to hide the matter then. In fact, Uber paid a huge deal to the hackers for deleting the hacked data and for keeping the news hidden. Nonetheless, sadly for Uber, nothing worked and the news became public after a year. Now, as the source responsible for all this chaos, Uber fined $1.2 million by ICO and DPA.
Uber Fined By ICO For 2016 Hack
As disclosed recently by the Information Commissioner’s Office (ICO), the giant firm Uber were fined a hefty amount by the UK and Dutch authorities due to its security lapse. The company faced a data breach that leaked 57 million records to the hackers. The incident affected both the riders as well as the passengers. Reportedly, the leaked data included personal details of 2.7 million UK customers. Whereas, it also contained data of 82,000 drivers from the UK, including the details of rides made, and the payment methods.
According to the ICO, the hackers allegedly targeted Uber’s system through a credential stuffing attack. For failing to protect users’ data, ICO has imposed a fine of £385,000 (around $490,760) on Uber.
In addition, the Dutch Data Protection Authority (Dutch DPA) has also fined Uber for the same security breach with a whopping €600,000 (approx. $677,587). Reportedly, the breach affected 174,000 Dutch citizens.
The ICO elaborated that the fine imposed is in accordance with the Data Protection Act 1998. Had the incident occurred recently, then Uber might have faced fines up to £500,000 according to the new GDPR.
Commenting about the fine, Rich Campagna, CMO at Bitglass, told LHN,
“This fine shows that even the most prominent public organisations need to pay more attention to data security policies and put in place appropriate measures to keep personal data safe. Many companies continue to display poor stewardship over personal details belonging to customers, employees, and other parties. Unless organisations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”
How Did It Happen?
Since Uber kept the matter hidden for long, the details of how the happened remained veiled. This made the experts make educated guesses of how the incident occurred. According to Luke Brown, VP EMEA at WinMagic, Uber might have lost at data encryption. Talking to LHN, he said,
“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that Uber hadn’t deployed encryption technology across all its platforms and environments. It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place.”
Regarding the way those hackers broke Uber’s system security, the ICO confirmed that they had leveraged credential stuffing. Explaining this situation to us, Stephen Moore, chief security strategist at Exabeam, told LHN,
“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.”
What Next?
Even after the matters seems to be nearing an end as Uber fined, the technical details of the hack remain blurry. Nonetheless, keeping in view the consequences of such breaches, all firms need to adopt vigilance with regards to their cyber security. According to Luke Brown,
“Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack.”
Protection from cyber attacks and data breaches not only consists of strong encryption. For instance, security measures to avoid credential stuffing that exploits valid usernames and passwords. In this regard, Stephen Moore suggested,
“To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour–to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents.”
In October, this year, Facebook also faced a hefty fine by the ICO. However, Facebook had to pay £500,000. ICO stated it the maximum allowed fine under the Data Protection Act 1998 based on the intensity of the breach.
Take your time to comment on this article.