About a year after 57 million records were breached at Uber, the company issued a breach notification press release. The CEO made no excuses for the lateness of the notice and to be fair, he was not involved in the handling of the whole thing since he was hired after the event. The notification also assures us that the Chief Security Officer was fired (“no longer with the company”) as of the day of the notification.
The notice (https://www.uber.com/newsroom/2016-data-incident/ ) shared many of the features that we expect from breach notifications: vague reference to the timing of the company’s awareness (“late 2016”), a statement that impacted individuals will be notified and offered credit protection, a rough sizing of how many identities were impacted and an acknowledgement that the company needs to do better and is consulting with experts on how to accomplish this.
The notice also has a familiar flaw: it downplays the accountability of the organization for the breach. The notice assures us that “The incident did not breach our corporate systems or infrastructure.” This no longer passes as an accurate statement from the perspective of cybersecurity. To modify the NIST Cybersecurity Framework definition of infrastructure from 2014, it consists of:
“systems and assets, whether physical or virtual, so vital to the United States [Enterprise] that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety [of the Enterprise], or any combination of those matters.”
This means that what the notice identifies as “data stored on a third-party cloud-based service that we use” IS part of your corporate systems AND infrastructure.
I am not just nitpicking here. It is crucial that the myth of “my data processor” was hacked be debunked. If an entire data processing service provider is hacked and all its clients are impacted, this is a reasonable thing to claim. But if the breakdown is because you did not manage your third party risk appropriately (which seems to be the case here), then you have to own it.
Finally, we come to the two things that are most unusual about this notification.
First, the CEO admits that their investigation and incident response team “identified the individuals and obtained assurances that the downloaded data had been destroyed.” This was included in the CEO’s notification presumably to acknowledge what had been reported in the news already: that they firm had paid the hackers for the assurance that the data were destroyed. Why law enforcement is not mentioned in this part of the notification is truly odd. Even if we accept that someone wanted this to go away so badly that they paid $100k to be assured that the personal information of 57 million customers was safe (seems like a bargain, no?) certainly a mention that we are working with the proper authorities would have made sense here. Unless you think the data may not have been destroyed (i.e., the hackers still have leverage).
Second, what we can only assume was a phrase that a well-intentioned corporate communication specialist inserted into the notification reads: “While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.” Although this is unclear, it must mean that they are on the lookout for people to have gotten the customer data and are using it to fraudulently book Uber rides. Any broader monitoring would probably violate the account holders’ privacy. Seems like asking customers to re-authenticate their accounts and/or devices would mitigate a lot more fraud risk than just monitoring but without knowing what information leaked and how it is used it is hard to say for sure.
Conclusion: if you put your customers’ data somewhere, you own the risks associated with that and if you are really willing to trust the assurances of people that stole 57 million records from you because you paid them, then I have all kinds of things I will assure you of (for a price).