Uber-like hacks ‘happen all the time,’ Israeli cyber expert says

CEO reveals a 2016 cyber-attack in which hackers stole data on 57 million of Uber’s drivers and riders

Shoshanna Solomon was The Times of Israel's Startups and Business reporter

Uber advertising for taxi service at bus station (Credit: AdrianHancu, iStock by Getty Images)
Uber advertising for taxi service at bus station (Credit: AdrianHancu, iStock by Getty Images)

Cyber-attacks, like a newly revealed hack against ride-hailing firm Uber, happen on a daily basis but are often kept under wraps, an Israeli cyber-security expert said in an interview with The Times of Israel.

“Developers make mistakes on the cloud infrastructure, and hackers take advantage of that,” said Kobi Ben-Naim, the head of the cyber research lab at CyberArk, Israel’s second-largest public cybersecurity firm.

Uber’s newly appointed CEO Dara Khosrowshahi admitted in a statement Tuesday that in 2016 two outside hackers had “inappropriately” accessed user data stored on a third-party cloud-based service used by the ride sharing firm, enabling the hackers to steal data on 57 million drivers and riders. The disclosure — so long after the hack actually happened — has generated a huge outcry, and the UK’s data protection agency has said that the company’s announcement raises concerns about the ride sharing firm’s “data protection policies and ethics.”

Uber’s data was stored on an Amazon Web Services cloud account, CNET reported.

As companies move toward developing their software on publicly available cloud services, which allows them to develop and publish their software in a more efficient and faster manner — they also expose themselves to cyber-attacks, Ben-Naim said. Moving to the cloud, as opposed to developing software in-house on the companies’ own private networks, “makes the attack surface much larger,” he said.

Illustrative: A hacker at work (supershabashnyi, iStock by Getty Images)

Hackers know that developers often make mistakes and put their credentials — like user names and passwords — on the cloud, he said, so they use robot-like software to surf the cloud for these kinds of flaws.

The hacking “incident did not breach our corporate systems or infrastructure,” Uber’s CEO Khosrowshahi, who took his post in August, wrote in a statement on Nov. 21.

And while there was no indication that trip location history, credit card numbers or social security and bank account numbers were downloaded, the hackers were able to get their hands on the names and drivers’ license numbers of around 600,000 drivers in the US, and personal information of about 57 million Uber users, including the drivers, around the world, he said.

CyberArk’s Kobi Ben-Naim, the head of the cyber research lab (Courtesy)

There are ways for companies to protect themselves against these kinds of hacks on the cloud, CyberArk’s Ben-Naim said. There is software available, including that developed by CyberArk, that monitors code and alerts developers when they make mistakes, he said. And CyberArk software also allows developers to use an equivalent of their credentials — and not their real user names or passwords on the cloud — so that if there is a hack, the real information is not available.

Analyst firm Forrester estimates that 80 percent of security breaches involve privileged credentials. Despite this, according to a recent CyberArk survey, 75% of organizations surveyed said they had no strategy to manage and secure software development and software operation secrets, with 99% of respondents failing to identify all places where privileged accounts or secrets exist.

Uber’s Khosrowshahi added that the company had discovered the breach in November 2016 but did not let its drivers know about it.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Bloomberg reported that the company paid $100,000 to the hackers to delete the information and keep the issue quiet. Uber has also ousted two individuals – its chief security officer and one of his deputies, Bloomberg said — for keeping the hack a secret.

Most Popular
read more: