In October 2016, Uber the global car sharing company, experienced a massive breach whereby hackers stole personal data from approximately 57 million users and drivers. After a year of concealment without regulatory notice and payment to the hackers to destroy the data, Uber finally disclosed the breach. As a result, Uber has undertaken a large investigation into the hack.
Although Uber is under much scrutiny, there are several lessons executives, vendors, and business associates can learn from this breach. Any organization, regardless of size or type, can experience an attack, therefore it’s important to recognize the current risks to mitigate and prevent them.
Three significant takeaways from the Uber breach that every organization should follow as best practices:
- Restrict access with proper authorization and access controls
- Improve third-party vendor management
- Design and follow an incident response program
Restrict Access With Proper Authorization and Access controls
From a technical aspect, the Uber hackers first targeted and gained access to a private code repository, GitHub, utilized by Uber software engineers. There the attackers acquired login credentials to the company’s Amazon Web Services (AWS) account, where personal data, including names, email addresses, phone numbers, and even license numbers were archived.
To prevent unauthorized access, businesses should take the proper measures to limit access through proper authentication and access controls.
For users of GitHub, restricting user groups based on roles and responsibilities can provide additional levels of security and control as well as give greater visibility for monitoring activities and committed changes. For further protection, businesses should educate their employees to never save or share passwords and consider implementing Universal Second Factor Authentication (U2F).
Improve Third-Party Vendor Management
When using third-party vendors, it’s incredibly important to use the utmost due diligence. For Uber developers, two mistakes were made while using a third-party, GitHub. The first was the accidental misuse of GitHub’s functionality, and the second was the poor review of information sent to the third-party.
As the investigation is still pending, it’s difficult to pinpoint how the hackers accessed Uber’s GitHub account. However, it’s possible that the company did not adequately leverage gitignore files, a feature designed to ensure sensitive files are not uploaded to a git repository allowing hackers to access credentials, passwords, keys, and other sensitive data.
Therefore, organizations using cloud service providers and repositories should carefully review all files and source codes before uploading. The attackers gained access to Uber’s AWS account by finding stored credentials in a source code that was uploaded by Uber to GitHub. To help prevent this type of attack do not hard code credentials within source code and review source code files prior to an upload, even if using gitignore, to ensure any credentials have been scrubbed.
Additionally, if an organization uses multiple repositories they should always keep one secure by switching access to private. This creates one copy of the repository that an organization can trust and recognize as a single source of truth.
Design and Follow an Incident Response Program
Good business practices always include an Incident Response Program with a set of policies, procedures, and processes to appropriately address, mitigate, and respond to an incident. Depending on the organization, some of the elements of the program may be legally mandatory.
For Uber, the apparent disregard or lack of an appropriate incident response resulted in major legal and regulatory consequences. As a state and federal requirement, Uber was obligated to notify affected users and government agencies when sensitive information, such as driver’s license data, had been breached. The failure to disclose the hack resulted in customer lawsuits over negligence of their data.
To prevent and/or properly moderate an incident, organizations should design and follow an incident response plan that best suits their needs and requirements.
A successful Incident Response Program should help an organization to:
- Prepare: Teach employees to handle potential incidents
- Identify: Recognize and determine whether an event is an incident
- Contain: Limit damage and isolate to prevent further damage
- Eradicate: Investigate and remove cause
- Recover: Complete elimination of threat
- Improve: Complete incident documentation and learn for the future
Security threats and data breaches can occur to any organization. It is imperative to recognize the valuable lessons learned from the Uber attack, to prevent your organization from becoming a victim.
If you would like to learn more about these best practices and how A-LIGN can assist your organization in preventing an attack, please contact us at firstname.lastname@example.org or 1-888-702-5446.