Executive Insights on the Uber Hack
Executive Insights on the Uber Hack
Lack of security best practices in large companies continues to lead to huge breaches of personally identifiable information.
Join the DZone community and get the full member experience.Join For Free
Several security executives weigh in on the recent news that Uber concealed a hack of 57 million accounts for more than a year.
James Maude, Senior Security Engineer, Avecto:
“A serious error on Uber’s part was storing the keys to its data store on a GitHub code repository which the attackers could access. This is the digital equivalent of writing the password down on a bit of paper. Once the attackers had this key, they could access data easily.
“There is a growing issue around organizations outsourcing data storage to the cloud with limited or no security – yet companies feel like they’ve outsourced security too. The cloud presents both a great opportunity and a great danger at the same time.”
“The cover-up of this data breach is almost as interesting as the breach itself, and is just as damaging. To avoid the reputational fallout, a lot of organizations will try and cover up ransomware and other breaches, but this is only getting harder. Legislation, such as the General Data Protection Regulations (GDPR) coming into effect in May in the EU and that will have global impact, makes it compulsory to notify the authorities of these events. This still applies in the case of ransomware, where data is encrypted but doesn’t leave the organization, or in the case of Uber where they paid up to make sure it didn’t go public.”
Zohar Alon, Co-founder and CEO, Dome9:
“This is yet another case of user error trumping the best security measures readily available today. For an organization as large as Uber, this is inexplicable. There are tools available right now within GitHub that automatically check code for embedded access credentials such as AWS API keys. This is something that Uber, and any organization that is developing code, can and should implement whenever a software engineer checks in code to GitHub. Relying on a developer or administrator to follow best practices is foolhardy at scale and the errors seem to be more egregious each and every time a breach makes the headlines.”
Stephan Chenette, CEO and Co-founder, AttackIQ:
“We continue to see security control misconfigurations that result in costly breaches. Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber. What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”
Manoj Asnani, VP of Product and Design, Balbix:
"Stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data. Most security solutions do not provide visibility into breach risk from password reuse. Predictive security solutions can look at the password behavior of users – including sharing of passwords across personal and corporate use – and flag that risk. With this kind of a solution, Uber would have been able to see developers sharing the same passwords for GitHub and AWS accounts and take action to prevent this breach."
After the Equifax and Uber hacks, I guess hackers know almost as much about me as the 52,000 things Facebook does.
Has the continuous news of data breaches caused you, or your organization, to take security more seriously?
Opinions expressed by DZone contributors are their own.