You’ve likely read the reports, or heard the recent news, that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year.
How did the hack happen?
Here’s how the press describes the hack:
Two attackers accessed a private GitHub coding site used by Uber software engineers. They then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
If you read between the lines, to us, it looks like someone (or several someones) were careless about leaving internal passwords lying around online. And for some reason, Uber paid the ransom instead of reporting the breach right away.
Don’t try to deny.
No doubt regulators have asked Uber tough questions about why they were not informed about the breach for a year. Class action lawsuits—trouble the likes of which even the Grinch never saw—are sure to follow.
Uber says it has “not seen evidence of fraud or misuse tied to the incident.” Let’s hope they are right, but one has to wonder if these records were really deleted. It’s practically a sure thing they’ve been sold on the dark web, or will be.
The sad truth is the data could be abused by these criminals in many ways, without Uber ever becoming aware.
Stink. Stank. Stunk.
At Carolinas Net Care, we cannot emphasize enough how important it is to come to us with information or suspicion about a security breach as soon as you know. You can ask your clients’ and customers’ forgiveness for being hacked, if you disclose it them as quickly and as transparently as possible. Many people will find it harder to forgive if you deliberately cover up the truth.
Now that the phishing grinches have been exposed, copycats may come sniffing around with Uber-themed phishing attacks in a variety of flavors.
So, we want to take this opportunity to once again remind you of some ways to protect your data:
- Stay alert. Uber suffered the data breach a year ago, and the addresses and email information of 57 million people got stolen like the Grinch raiding Whoville in the middle of the night.
- Don’t open emails with warnings like “Your Uber Account Has Been Compromised” sending people to compromised websites where indeed their credentials will be stolen!
- Watch out for other phishing emails warning that “you need to change your password,” or anything else that seems suspicious.
- Never click on a link in an email, always go to the website yourself through your browser. He’s a mean one, that Mr. Grinch.
- If it happens to you, report, don’t pay! Uber paid off the hackers who then supposedly deleted the data, but that cannot be confirmed.