Third-party cloud-based services are like a box of chocolates - you often don't know what you’re going to get. They could work perfectly, but they could also put you in a very uncomfortable position.
First Published 24th November 2017
Uber, showing its hand.
4 min read | Reflare Research Team
Earlier this week, ride-hailing company Uber revealed that it had fallen victim to a data breach in late 2016. While specifics differ slightly between accounts, all sources appear to agree that the attackers offered Uber to destroy the data in return for a payment of USD 100,000 and that Uber accepted the offer.
In this briefing, we will take a look at the breach and the ramifications of paying attackers.
What happened?
According to Uber, customer data was stolen from a “third-party cloud-based service”. Fortune and several other news outlets identify this service as GitHub, albeit we could not establish clear evidence at the time this briefing was published.
Github is a very popular source code hosting service used by both public projects and companies to manage their code bases. If the breach indeed happened though GitHub, the most likely scenarios are that developers accidentally either checked in access keys or user data into public repositories or that private repositories containing such data were accidentally made public.
However it happened, the data of 57 million accounts was compromised. This includes regular customers who had their email addresses, mobile phone numbers and names leaked as well as the accounts of 600,000 Uber drivers who had their drivers license numbers leaked in addition.
Uber reportedly agreed to pay the attackers USD 100,000 in return for the data being destroyed.
The legal perspective
While the legality of paying the ransom is complicated, keeping a data breach secret is illegal in many of the jurisdictions that Uber operates in - most notably in the EU. We expect EU member states to open investigations against Uber on those grounds. Other countries and US states are likely to follow suit. As stronger data protection laws - known as the GDPR - are about to come into effect in the EU at the beginning of 2018, this case will likely be made an example of.
The moral perspective
The information security community appears split on the moral ramifications of the ransom payment with a majority condemning it and a steadfast minority approving of it.
The argument in favour of ransom payments is that protecting user data is the overriding priority and that the payment is thus justified - especially considering the low price and high potential damage.
The argument against ransom payment is that paying ransoms incentivizes attackers to hold user data for ransom in the future, which worsens the situation for everyone. Opponents further point out that Uber has no way of confirming that the data was actually deleted and will not be purposefully or accidentally published at a later date.
Summary
The ransom payment is likely to be the topic of debate among the security community in the coming weeks. We expect the EU and potentially other countries to file suit against Uber in relation to this breach under security breach reporting laws.
Once data is stolen, there is no way to get it back. Even if ransoms are paid, the destruction of data can not be guaranteed. Thus preventing leaks - which like in this case often happen due to human error - should be the top priority for any organization.