What Uber Can Teach Us About Data Security
Last week, Uber revealed that it had suffered a data breach in 2016 that exposed the personal data of 57 million drivers and riders. This was more than just another breach, as scandal-laden Uber chose not to disclose the breach to victims and regulators, instead choosing to pay the hackers $100,000 to delete the data and hide the fact that it ever occurred.
Some of the fallout follows a familiar script: public outcry, corporate apologies, and firing anyone that can be held accountable (in this case, the CSO and one of his deputies). The inevitable lawsuits and congressional outrage are nothing new, but the Uber narrative forges into new territory due to the fact that they tried to cover up the breach instead of immediately disclosing it. Equifax took a lot of heat for dragging their feet nearly six weeksafter their breach; imagine if they had intentionally swept it under the rug for over a year.
The 2017 Ponemon Institute Cost of a Data Breach study puts the average cost of a breach in the U.S. at $7.35 million. The study explicitly excludes “catastrophic or mega data breaches”, so it’s impractical to apply the $141 average per record to a breach such as Uber’s. But Equifax has already recorded a one-time charge of $87.5 million due to the event, lost $4 billion in market value in the days following the aftermath, saw its third quarter income fall 27 percent, and has more than 240 class-action lawsuits and 50 investigations pending. While the Uber incident did not include social security or credit card numbers, it certainly doesn’t look good for them.
And it isn’t getting any easier. With the EU’s General Data Protection Regulation (GDPR) going into effect in May of 2018, companies dealing with EU citizen data are going to be subject to a slew of new regulations and fines — up to 4 percent of worldwide income. Notification is expected to occur within 72 hours, with stiffer penalties for those that fail to comply. If Uber was subject to GDPR, their year-long cover up would certainly them push towards the $320 million maximum that would be expected from an estimated $8 billion annual run rate. And congress is taking note, reviving legislation to punish those that fail to disclose breaches in a timely manner, including up to five years of jail time for cases of intentional non-disclosure.
So what is a company to do? At Uber, the cause of the breach was described by Bloomberg as:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information.
Storing privileged credentials in your code, and hosting that code on GitHub, is a rookie mistake — a byproduct of a lax security culture and process. While beefing up your security practices is a no-brainer response, mistakes are always going to happen.
Keeping mistakes from becoming catastrophes requires changing your data security perspective.
Data is at the center of the modern digital enterprise, driving everything from new user experiences to new products to new business insights. For most companies, it’s the greatest source of risk — containing personal information and confidential intellectual property. But most security processes and organizations evolved in an application-centric age, and understanding how data and risk propagates through those processes is a challenge.
Why did that Uber application need access to production data? Why were those access credentials not restricted to only the data required for the application? Who within Uber understood that this application had a dependency on that data, and who was accountable for managing security access?
We don’t know the answers to these questions, but you should for all critical data in your enterprise. By starting with the data first, you can map out where dependencies exist and how risk propagates across applications, non-production environments, and analytics pipelines. You can then design your culture, processes, and controls around the data first, instead of trying to retrofit the processes you have today.
The next Uber is just around the corner. The total cost of breaches — including remediation, penalties, and lost business — is only going up. And traditional security approaches simply aren’t cutting it anymore. Solving this problem requires inverting your security perspective and putting data at the center. Waiting is not an option.