Uber Fined $1.2 Million in EU for Breach Disclosure DelayCredential Stuffing Attack Cracked Uber's Amazon S3 Buckets, Investigators Say
Ride-hailing platform Uber Technologies' year-long cover-up of its 2016 data breach continues to bite back.
On Tuesday, Uber was slammed with a total of $1.2 million in fines by data protection authorities in both the U.K. and the Netherlands over the company's inadequate information security practices as well as its failure to report a massive data breach to regulators in a timely manner. Regulators say the delayed data breach notification to victims, one year after the incident occurred, left Uber's drivers and customers at increased risk of fraud.
The breach compromised personal information for 57 million Uber users around the world, including 3.7 million non-U.S. drivers and 32 million non-U.S. customers. Nearly all of the exposed data sets included names, email addresses and phone numbers. For some users, Uber IDs and location data were leaked, along with tokens or hashed and salted passwords. Although the breach occurred in October 2016, Uber did not reveal it until November 2017 (see Did Uber Break Breach Notification Minimum-Speed Limits?).
UK Fines Uber £385,000
The U.K. Information Commissioner's Office, which enforces the country's data protection rules, has fined Uber £385,000 ($490,000). It says in a Tuesday news release announcing the fine that attackers exploited "a series of avoidable data security flaws" in Uber's IT infrastructure.
The ICO says the Uber breach exposed about 2.7 million U.K. Uber customers' full names, email addresses and phone numbers, which it says were "accessed and downloaded by attackers." It also says that any users who switched on the Uber app's location functionality when they signed up had their "initial sign-up location" data compromised as well.
Information on 82,000 U.K. Uber drivers was also exposed, including "summaries of the rides provided by the drivers, such as how much drivers were paid over a week, a summary on a trip by trip basis, the type of ride and when the invoice was created," the ICO says.
The incident, a serious breach of principle seven of the Data Protection Act 1998, had the potential to expose the customers and drivers affected to increased risk of fraud.— ICO (@ICOnews) November 27, 2018
Read more here: https://t.co/7uQDnBbeX3 pic.twitter.com/1DB5oyj53s
"The ICO investigation found 'credential stuffing,' a process by which compromised username and password pairs are injected into websites until they are matched to an existing account, was used to gain access to Uber's data storage," it says (see: Credential Stuffing Attacks: How to Combat Reused Passwords).
Uber uses a cloud-based storage service, Amazon Web Service's Simple Storage Service, or S3, to store data in cloud-based "buckets."
An attacker was able to access multiple Uber S3 buckets after Uber engineers left S3 access credentials in code they uploaded to GitHub, the web-based code sharing and development platform (see: Pennsylvania Sues Uber Over Late Breach Notification).
"The [redacted] account credential was contained in plain text in a piece of code that was stored in GitHub," the ICO says in its monetary penalty notice.
"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," says Steve Eckersley, the ICO's director of investigations, in a statement. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."
"Over the period 13 October - 15 November 2016, Uber U.S.'s stored data in a set of Uber U.S.'s buckets on S3 was subject to an external cyberattack," the ICO says. "The attackers obtained IAM [identity and access management] credentials for an Uber U.S. service account known as [redacted], through which they were able to access files in Uber U.S.'s S3 datastore."
The ICO notes that Uber's count of data breach victims is based on attackers having only accessed 16 specific S3 buckets created by Uber.
But the ICO says Mandiant's investigation found that the same IAM credential pair could be used to access more than 100 buckets, and Uber does not maintain the access and change management logs that it would require to definitively prove if attackers did or did not access the other buckets, and if they may have contained personal data.
Dutch DPA Fines Uber €600,000
The data protection authority in the Netherlands, the Autoriteit Persoonsgegevens, on Tuesday imposed a fine of €600,000 ($680,000) on Uber for violating Dutch data breach regulations. The DPA said it fined Uber "because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach."
The DPA says 174,000 Dutch citizens were affected by the breach, and that exposed data included customers and drivers' names, email addresses and telephone numbers.
Uber Settled With States
The fines from the two DPAs arrive two months after Uber reached a $148 million settlement agreement with the attorneys general of all 50 U.S. states and the District of Columbia. That settlement stemmed from the company's failure to report a massive 2016 data breach in a timely manner, as well as the company's inadequate information security practices (see: Uber Reaches $148 Million Breach Settlement With States).
Under the terms of the settlement agreement, Uber must put in place "privacy by design" practices, report all data security incidents to states on a quarterly basis for the next two years, and create a corporate integrity program and maintain a hotline for reporting any data security or privacy misconduct
Breach Disclosure Timeline
The Uber breached occurred while Travis Kalanick was serving as CEO. But it didn't come to light until November 2017, following Dara Khosrowshahi becoming Uber's CEO on Sept. 5, 2017, and reportedly learning about the breach two weeks later, after it was discovered by an internal review launched by the company's board of directors. In November 2017, he issued Uber's first notification to the public, as well as to law enforcement agencies and regulators (see Did Uber Break Breach Notification Minimum-Speed Limits?).
A digital forensic investigation by cybersecurity consultancy Mandiant was commissioned by the board.
Khosrowshahi fired CSO Joe Sullivan and his deputy, allegedly over their handling of the breach (see Fast and Furious Data Breach Scandal Overtakes Uber).
Subsequently, it emerged that Uber had paid $100,000 to a 20-year-old in Florida for what it portrayed as a "bug bounty," but which authorities say looked more like hush money, tied to a breach of code that Uber's engineers appeared to have uploaded to the GitHub code-sharing service (see: Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack).
The ICO says Uber's attackers first contacted it on Nov. 14, 2016, demanding "a payment of at least $100,000 to reveal how they had accessed the S3 accounts ... and also implied that they would not destroy the data they had downloaded until the monies were received."
"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyberattack," the ICO's Eckersley says. "Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."
The ICO notes that beyond paying off its attackers, Uber implemented "a new key management system for credentials that access S3," began requiring multifactor authentication to access its S3 buckets - as well as another system, the name of which has been redacted - and also moved most of its source code off of GitHub and into internal code repositories.
GDPR Was Not Yet In Effect
Because the data exposure occurred before May 25 of this year, it did not fall under the EU's General Data Protection Regulation, which went into full effect on that day. Instead, it was subject to the U.K.'s 1998 Data Privacy Act.
"Due to the timing of this investigation, the civil monetary penalty has been issued under the previous legislation, the Data Protection Act 1998," the ICO says. "The maximum financial penalty in civil cases under former laws is £500,000," or $640,000. Only two companies to date have received the maximum fine under the DPA 1998: Equifax and Facebook.
Since May 25, however, organizations handling U.K. individuals' personal data must comply with GDPR as well as the U.K.'s Data Protection Act 2018, which includes wider requirements, including additional law enforcement and security provisions. Any breaches which have spanned that date or occurred since then fall under GDPR's provisions.
Organizations that fail to comply with GDPR's privacy requirements face fines of up 4 percent of their annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements also face a separate fine of up to €10 million ($11 million) or 2 percent of annual global revenue (see: GDPR Effect: Data Protection Complaints Spike).