Researchers claim that this incident compromised the company’s Amazon S3 buckets
Uber Technologies decided not to disclose a data breach in 2016, a decision that keeps bringing bad news for the transport service platform.
According to reports of experts in digital forensics, Uber has been fined for an amount of $1.2M USD, amount established by the data regulatory authorities of the United Kingdom and the Netherlands, accusing the company of inadequate data security policies, as well as for not properly reporting the data breach that the company suffered two years ago. The authorities argue that this incident, which the company took a year to report, exposed Uber drivers and users to an increased risk of cyber fraud.
The incident compromised the personal information of over 50 million users and 3 million Uber drivers worldwide, including names, email addresses and phone numbers. According to specialists in digital forensics, in some cases attackers even leaked location data, access tokens and user passwords. The incident occurred in October 2016, but Uber kept it undisclosed until November 2017.
The United Kingdom Information Commissioner Office (ICO), in charge of compliance with data protection laws in British territory, has fined Uber with £385k. The ICO mentioned that the incident occurred because of “a series of flaws” in Uber IT infrastructure, adding that about 3 million of Uber users in the UK were affected by the incident.
“The ICO research found that data breach was possible thanks to the “credential stuffing” technique, a process by which usernames and passwords are injected massively into a website until they match with an existing account. Uber uses Amazon Web Services Simple Storage Service (S3), a cloud-based storage service, where its information is protected.
An attacker was able to access multiple Uber S3 buckets because the company IT team left the S3 access credentials in the code that was uploaded to GitHub, the popular code development and sharing platform. “Uber S3 account accesses were in a plain text file stored on GitHub,” the ICO mentioned.
On the other hand, Autoriteit Persoonsgegevens, the regulatory authority on data protection in Netherlands, imposed Uber a fine of £600k for violating the Dutch information security law. “The company was fined for not reporting the data breach within 72 hours after the discovery of the incident,” the Dutch authorities reported. It is estimated that about 174k Dutch users were affected by data theft.
Data breach occurred while Travis Kalanick served as Uber’s CEO, but remained undisclosed until November 2017, after Dara Khosrowshahi emerged as CEO, who ordered a digital forensics investigation.
In the end, it was learned that Uber had paid $100k USD to a young hacker from Florida for a “bug report” as part of its vulnerability bounty program. However, the authorities believe that the hacker had discovered the data breach, and the payment made by the company was a bribe to keep the incident a secret.
The data breach occurred before the entry into force of the European Union’s General Data Protection Regulation (GDPR), so Uber was sanctioned in accordance with the provisions of the United Kingdom Data Privacy Act, promulgated in 1998. Fines imposed in accordance with this law may not exceed $500k USD.