Uber slammed by security experts over data breach that exposed data on 57 million customers

Security experts have slammed Uber over its handling of a data breach that exposed the data of 57 million customers.

The breach was first reported by Bloomberg. On Tuesday, Uber confirmed that, in late 2016, two individuals outside the company inappropriately accessed user data stored on a third-party cloud-based service. The data included personal information of 57 million Uber users around the world, such as names, email addresses and mobile phone numbers. The names and driver’s license numbers of around 600,000 drivers in the U.S. were also accessed.

External forensics experts brought in by Uber have found no evidence that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded, according to a blog post by Uber CEO Dara Khosrowshahi.


Experts, however, have criticized the amount of time taken by Uber to notify users of the incident. “While the Uber breach was large in terms of the 57M customer and driver records lost, if Uber had followed standard breach protocol by notifying authorities and impacted users, remediated the problem and laid out steps that they were taking to avoid future breaches, the impact would have been much less,” said Corey Williams, senior director of products and marketing at identity management specialist Centrify.

“What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers,” added Stephan Chenette, CEO of enterprise security firm AttackIQ, in a statement emailed to Fox News.

In his blog post, Khosrowshahi, who became Uber chief in August after succeeding former CEO Travis Kalanick, said that he only learned about the breach recently. Kalanick is still a member of the company's board of directors.

Some 60 percent of Americans expect a company to respond within 24 hours of a potential scandal, according to research conducted by tech PR firm Bospar and market research company Propeller Insights.


The hackers reportedly gained access to the data via a coding site on GitHub that was used by Uber engineers. Credentials stolen from there were used to access data on an Amazon Web Services account that handled Uber’s computing tasks, according to Bloomberg. This led the attackers to the rider and driver information, the report said.

“This is yet another case of user error trumping the best security measures readily available today. For an organization as large as Uber, this is inexplicable,” said Zohar Alon, co-founder and CEO of cloud security specialist Dome9, in a statement emailed to Fox News. “There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API [Amazon Web Services Application Programming Interface] keys.”

“This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub,” he added. “Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”


Guy Peer, vice president of R&D at cryptography and key management specialist Dyadic, described the breach as particularly frustrating. “It seems like in many of the major hacks, attackers are just entering through the main door, where even technology giants such as Uber are not exercising simple security practices,” he said, in a statement. “Simple measures such as strong authentication, credentials protection and encryption would have blocked such an attack and many other of the recent breaches in the news.”

Manoj Asnani, vice president of product and design at network security firm Balbix, told Fox News that password security is an ongoing challenge for businesses. “Stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data,” he said, in a statement.

Uber has also come under fire for its reported payment of $100,000 to the hackers, which was not addressed in Khosrowshahi’s blog post.


“With a situation like this there is no guarantee of destruction, and paying the cybercriminals only funds future hacks,” said Mark Nunnikhoven, vice president of cloud research at security firm Trend Micro, in a statement emailed to Fox News. “In the case of a breach, you have to assume the worst case scenario and assume that the users’ data will be sold in the digital underground and used for malicious purposes.”

Morey Haber, vice president of technology at security software company BeyondTrust, told Fox News that he is “baffled” by the events at Uber. “Every business should consider these as lessons learned and not make the same mistakes,” he said.

The Uber hack is the latest in a string of high-profile data breaches. Equifax, for example, recently confirmed a major data breach that could affect up to 143 million consumers in the U.S.

Last month, Yahoo! confirmed that three billion customer accounts have been compromised in a massive data breach, up from an initial estimate of one billion.

Follow James Rogers on Twitter @jamesjrogers