Professional Documents
Culture Documents
Background
Hackers stole the personal data of 57 million customers and drivers from Uber
Technologies Inc., a massive breach that the company concealed for more than a year.
Compromised data from the October 2016 attack included names, email addresses and
phone numbers of 50 million Uber riders around the world, the company told Bloomberg
on Tuesday. The personal information of about 7 million drivers was accessed as well,
including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit
card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating
separate claims of privacy violations. Uber now says it had a legal obligation to report the
hack to regulators and to drivers whose license numbers were taken. Instead, the
company paid hackers to delete the data and keep the breach quiet. Uber said it believes
the information was never used but declined to disclose the identities of the attackers.
Assumptions
They didn’t apply security policies or data responsible had no idea of these.
At outsourcing is important a clear document of what we want for services.
They didn’t awareness at services.
Fault of training about IT security.
INVOLVED
What’s Happened
It was the year 2016, with Travis Kalanick as formal CEO of the company Uber and
counting in their ranks with Joe Sullivan CSO who along with his team carried out an
important work in the care of the data of the millions of users of the application, whether
drivers or customers looking for a car to move from one place to another, having the Ex-
CSO of Facebook. Inc, gave the world to understand that Uber was a safe and
uncomplicated application, however everything fell apart that year, as the company was
the victim of a Data Breach Attack, where the information of 57 million users was stolen
directly from its servers, between both already mentioned, it is worth mentioning that this
attack was carried out through a Ransomware implanted from an Amazon Web Service
server, since the two attackers, whose identity is unknown, managed to obtain the
credentials of some engineers to enter the server and implant the Ransomware.
The estimated amount to release and delete the copies of all these users, which included
emails, phone numbers, bank cards, user's address, among other things, was a total
amount of $100,000 dollars. However, Uber got into trouble and ended up paying more
money in fines, we are talking about $148 million for having reported this information theft
1 year late.
As consequences the aforementioned Joe Sullivan was fired a month after in August 2017
was revealed the theft of information suffered, as if that were not enough the CSO was
accused of complicity because his team detected the theft of information a month after this
happened in 2016, however they kept quiet, it was until the hackers threatened to spread
that the company realized now officially, the current CEO of that time commanded
externally investigate his security team and it was here when they learned that they knew
of this theft for a year.
Today it is known that Travis Kalanick was replaced by Dara Khosrowshahi as CEO of the
company and currently remains in that position, the media speak that the co-founder
Travis Kalanick could be equally involved however it is not known or rather not mentioned,
only that months later he was replaced by this situation, however in previous years had
mentioned the same problems in Uber, it can be said that they had no more patience for
Travis and it was here where it is decided by a change in the direction of the company.
These are some of the articles with more information about the incident at Uber (including
a case study):
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-
exposed-57-million-people-s-data
https://techcrunch.com/2017/11/21/uber-data-breach-from-2016-affected-57-million-riders-
and-drivers/
https://www.cnbc.com/2018/09/26/uber-to-pay-148-million-for-2016-data-breach-and-
cover-up.html
https://www.nytimes.com/2017/11/21/technology/uber-hack.html
https://medium.com/golden-data/case-study-uber-technologies-inc-data-breach-
7261484d6471
https://medium.com/golden-data/case-study-uber-god-view-9157d10630e3
Involvement
The Uber company is characterized by its good travel options, however, also offers
food delivery service, earn money while driving around your city, improvement in
public transportation giving personalized attention to those who need it and offers a
service for companies, this means that you can hire Uber for company
transportation, and it would be a responsible service that your employees who ride
in trucks would appreciate and arrive early to work.
The second service is Uber Pool, a service where you can share a ride with
someone who goes near or to the same place and divide the fare between the
people in the Pool, for the third service is the Uber Comfort service, which has the
newest cars on the market and spacious to carry comfortable legs, the fourth
service is Uber Black, which are more expensive trips but with luxury cars, in which
you can find top cars, but the price will make you desist from this option and finally
there is the Uber WAV service, which is specialized for people who need to travel
in wheelchairs, with this we can say that Uber cares about food and gives the utility
of the service to all types of people.
The service is available in more than 10 thousand cities, in more than 600 airports
around the world and guarantees safety in your trip from start to finish, continuing
with the food service offered by Uber Eats, which is a service where you order from
a restaurant associated with the company and a delivery person takes your food to
your door, whether you pay with a credit card or pay the delivery person, it is a
single payment, there is no fee or tip for the delivery person, that is the
responsibility of the restaurant where you place the order.
On the other hand, we have the Uber Freight service, which consists of connecting
carriers and shippers. Consignors touch a button to instantly book the loads they
want to be transported. Thanks to the upfront fee, shippers always know the profit
they will make. And with Uber for Business that's basically rides for your
employees or for your customers: It gives you an easy way to manage your ground
transportation needs. Designed for the workplace, it provides a clear view of
employee travel activity and automates payments, expense rendering and
reporting.
For the part of risks that we can see in the application, it could be said that any
application is susceptible to a possible malware, likewise the service could suffer a
DDoS attack, which raises the flow of requests and makes the application collapse
for a while or as we saw in past years, may be susceptible to data theft, shortly we
will touch a little more in depth each type of risk discussed in this writing.
Malware: Malware or "malicious software" is a broad term that describes any
malicious program or code that is harmful to systems.
Hostile, intrusive and intentionally nasty malware attempts to invade, damage or
disable computers, computer systems, networks, tablets and mobile devices, often
taking partial control of a device's operations. Like the flu, it interferes with normal
operation.
The malware's intent is to illicitly extract money from the user. While malware
cannot damage systems hardware or network equipment with one known
exception (see Google's Android section), it can steal, encrypt or erase your data,
alter or hijack basic computer functions, and spy on your computer activity without
your knowledge or permission.
DDoS: A DDoS attack aims to disable a server, service or infrastructure. There are
several forms of DDoS attack: by saturating the server's bandwidth to make it
inaccessible, or by exhausting the machine's system resources, thus preventing it
from responding to legitimate traffic.
During a DDoS attack, multiple requests are sent simultaneously from different
points on the network. The intensity of this "crossfire" compromises the stability
and sometimes the availability of the service.
Development of a DDoS attack
1. The server is operational sending and receiving packets normally.
2. The DDoS attack is caused by bandwidth overload or exhaustion of
system resources.
The network becomes saturated, so the server is unable to process legitimate
packets among the mass of incoming information.
Conclusion
As a conclusion to this case, we can say that it doesn't matter if you have the best CSO or
if you consider having a good IT or if you consider having a good IT or Security team, it is
clear to us that the most important thing that we have seen throughout the that we have
been seeing throughout the topics is that human error is a factor that is very important
when it comes to eradicating dangerous situations. when it comes to eradicating the
dangerous situations that surround a business, as we saw in this problem as we saw in
this problem presented in Uber, it started because a staff did not have the good practices
with which we have been the good practices we have been working with, they did not
follow the statutes imposed by the company, they were distracted by the statutes imposed
by the company, they were distracted and through that point of view and flanking was that
the attackers were able to enter, although it did not deal with some kind of engineering. to
always be vigilant, not to have weak passwords, not to underestimate the attackers who
are underestimate the attackers who seek to harm us and damage the company in which
we work. as recommendation is to continue with the trainings every 2 months at least, to
test our employees, especially the to our employees, especially to those that we see with a
low performance or with a low level of security, to test them at least safety level, test them
at least once every 2 weeks, this in order to give them the necessary knowledge and to
prevent them from continuing to and to avoid that they themselves continue to make
mistakes that could cost thousands or millions of pesos, and as we have seen, everything
falls to the as we have been seeing, everything falls on us, the human beings, just as we
should be the first line of defense, we are the first weakest link in the chain of defense. the
first weakest link in this defense, it is important to nourish ourselves with this type of
information to be able to of information to be able to notice anomalies or something that is
not well in our computer, without more than to computer, without but to refine those details
that will only come to the surface and disappear with the good practice of these simulated
practice of these simulated environments.
Final message
For Uber riders, the company says it doesn’t believe affected individuals need to act. “We
have seen no evidence of fraud or misuse tied to the incident,” its statement to riders said.
“We are monitoring the affected accounts and have flagged them for additional fraud
protection.”
While Uber states that there is no need for action, there are still things you should be on
the lookout for when breaches of this magnitude occur. When popular companies are
gaining major headlines in the mainstream media, scammers may attempt to take
advantage of the chatter around this incident.
Uber has stated that it’s notifying affected drivers whose driver’s license numbers were
accessed and are providing them with free credit monitoring and identity theft protection
service. The company is providing additional information for their drivers on their website.
Cybercriminals may attempt to launch phishing attacks, appearing to come from Uber,
hoping to trick unsuspecting customers into providing personal information, such as
account credentials or payment card information. In the case of a major security incident
like this, it’s always best to go straight to the source — the company’s official website, and
not click on any of the links in the email. Be sure to also check the actual email address to
ensure a message is from the company or person it appears to be from. Also, don’t click
on an emailed link or attachment without verifying the email’s authenticity.