Car-sharing service Uber doesn’t shy away from controversy. It’s come under fire for sharing real-time data about “notable users” without their permission, and its CEO once suggested that the company track the activities of journalists who oppose the company’s business model. Now, the company is under fire for a data breach which resulted in the names and drivers license numbers of 50,000 Uber drivers — but that’s not all. According to Ars Technica, the security key needed to access this data may have been stored on a public GitHub page. Oops!
For its part, Uber says that 50,000 drivers is “a small percentage of current and former Uber driver partners,” and spokesperson Katherine Tassi says the company has not received any complaints about identity misuse. According to the Insurance Journal, however, the ride-sharing service now faces a class action lawsuit from drivers who say Uber waited too long to disclose the breach, which occurred in May 2014.
But how does something like this even happen? The current theory is that someone working at Uber stored the company’s encryption key on two now-removed GitHub gists. In May of last year, someone from “an IP address not associated with an Uber employee and otherwise unknown to Uber,” accessed the GitHub pages, downloaded the security key and grabbed 50,000 driver records. Now, Uber is trying to force GitHub to give up the IP address of every user who accessed the webpages containing their secure key data, but there’s little chance the coding site will comply.
Bottom line? This is a mess. From posting secure data on a public forum to waiting this long to disclose a breach and then demanding that GitHub — which warns users against posting exactly this kind of secure information — turn over IP data, Uber is in a heap of trouble.
What happened to Uber seems almost ludicrous; how could a company let this kind of sensitive information get posted on a public site? How could they have missed it? In truth, many companies run the same risk but simply haven’t been burned. For example, many employees use the same password for every network service and access point, and many rely on easily-guessed combinations such as Password123. What’s more, the use of cloud sharing and document storage services is now commonplace, especially among enterprise users. The result is sensitive information is already on the Web or easily accessed, just waiting for a malicious actor to snap it up.
And where are IT security professionals in all this? Understandably they’re aiming high, looking for sophisticated malware threats and hunting for evidence of vulnerabilities in existing code. Many aren’t searching out low-hanging fruit like the accidental Uber public key sharing — and as a result, data is slipping through the cracks. And with IT budgets already strapped, dealing with these threats necessitates an automated solution, one that can intelligently seek out strange network behavior and trigger IT response. Actions which may seem innocuous or risk-free may in fact come with looming threat vectors; the right end-user security tools prompt timely correction.
Uber’s mistake is a warning: Security threats do not depend on complexity. Keep it simple; keep it automated; keep your data safe.