Uber - On Paying Ransoms
Earlier this week, ride hailing company Uber revealed that it had fallen victim to a data breach in late 2016. While specifics differ slightly between accounts, all sources appear to agree that the attackers offered Uber to destroy the data in return for a payment of USD 100,000 and that Uber accepted the offer.
In this briefing we will take a look at the breach and the ramifications of paying attackers.
According to Uber, customer data was stolen from a “third-party cloud-based service”. Fortune and several other news outlets identify this service as GitHub, albeit we could not establish clear evidence at the time this briefing is published.
Github is a very popular source code hosting service used by both public projects and companies to manage their code bases. If the breach indeed happened though GitHub, the most likely scenarios are that developers accidentally either checked in access keys or user data into public repositories or that private repositories containing such data were accidentally made public.
However it happened, the data of 57 million accounts was compromised. This includes regular customers who had their email addresses, mobile phone numbers and names leaked as well as the accounts of 600,000 Uber drivers who had their drivers license numbers leaked in addition.
Uber reportedly agreed to pay the attackers USD 100,000 in return for the data being destroyed.
The legal perspective
While the legality paying the ransom is complicated, keeping a data breach secret is illegal in many of the jurisdictions that Uber operates in - most notably in the EU. We expect EU member states to open investigations against Uber on those grounds. Other countries and US states are likely to follow suit. As stronger data protection laws - known as the GDPR - are about to come into effect in the EU at the beginning of 2018, this case will likely be made an example of.
The moral perspective
The information security community appears split on the moral ramifications of the ransom payment with a majority condemning it and a steadfast minority approving of it.
The argument in favor of ransom payments in that protecting user data is the overriding priority and that the payment is thus justified - especially considering the low price and high potential damage.
The argument against ransom payment is that paying ransoms incentivizes attackers to hold user data ransom in the future and thus worsens the situation for everyone. Opponents further point out that Uber has no way of confirming that the data was actually deleted and will not be purposefully or accidentally published at a later date.
The ransom payment is likely to be the topic of debate among the security community for the coming weeks. We expect the EU and potentially other countries to file suit against Uber in relation to this breach under security breach reporting laws.
Once data is stolen, there is no way to get it back. Even if ransoms are paid, the destruction of data can not be guaranteed. Thus preventing leaks - which like in this case often happen due to human error - should be the top priority for any organization.