Had Uber been properly monitoring its event management systems, it may have well pinpointed unusual patterns or logons, and been able to prevent the attack
Well, here we go again with another huge and avoidable loss of private data.
The revelation that the details of some 57 million Uber customers and drivers has been leaked, with the company then paying the hackers $100,000 to delete the data and keep quiet about it, is yet another ‘nail in the coffin’ to the data security strategies employed by business – both large and small.
Not only did Uber’s systems allow such a hack, they failed to disclose the breach.
It seems to be some kind of ransom attack and of course, under the forthcoming GDPR regulations (due to take effect in 2018) such a breach would cost the company dear, some 4 per cent of their global turnover.
US regulations require companies to disclose all breaches and Uber are in clear contravention of this.
It clearly demonstrates the weakness of cloud-based technology when it comes to adequately securing data in storage. Whilst it seems that this data was not encrypted – an unbelievable situation in today’s climate – never-the-less, even if it had been, it may not have prevented the breach, should the hackers have had access to the right credentials.
Two-factor authentication should have been deployed, where a unique password is required for each transaction.
Also, had Uber been properly monitoring its event management systems, it may well have pinpointed unusual behaviour patterns or log-ons, and been able to prevent the attack.
This is not rocket science; it just takes the will to impose robust data security systems. It seems that there wasn’t a will to do this.
Colin Tankard is managing director at data security company Digital Pathways, a specialist in the design, implementation and management of systems that ensure the security of all data whether at rest within the network, mobile device, in-storage or data in-transit across public or private networks.
If you enjoyed this, you may wish to view the following:
Smart Cities World’s regular blogger and data security expert, Colin Tankard of Digital Pathways, dissects the recent malware attack
Are you ready for the General Data Protection Regulations asks Colin Tankard, MD, Digital Pathways
Data holding is no longer something an organisation can take lightly, it needs serious thought and processes put in place
The boss of one of the UK’s leading data security firms welcomes faster connectivity but warns that it can also mean the ‘surface area’ for attacks is greater