The Uber Case: Dos And Don´ts When Dealing With A Data Leak




Recently Uber disclosed that data from 57 million customers and driverswas stolen from them. This is one of the multiple data leak cases that have been known in recent years, where large companies (Equifax, Yahoo, etc.) have been compromised and much of their customers´ data has been stolen. If your company has critical and sensitive data stolen there is a couple of things you must not do and others that you must do; we will use the case of Uber as an example to guide you through them.

– To provide some context, in October 2016, Uber discovers that they have been attacked and a large amount of their data has been stolen. They discovered it because the thieves themselves warned them by asking them for money. If you are told about the theft of your data by the thieves themselves, then your prevention against attacks is, at the very least, scarce. There are many tools to avoid this, from the detection of intrusions to the awareness of employees if a case of phishing occurs (which, lately, is the most common way to get credentials that allow stealing data). Prevention in security is essential, and although in the real world it is not always 100% effective, most data thieves will always prefer to attack an unprotected company rather than one with effective protection.

– Uber receives the warning from the thieves that they have their data and in exchange for it, they ask for $ 100,000. The decision Uber took in this case was to pay the money. This is a clear example of what you should NOT do, for several reasons:

  1. The first because you have no way to verify that the data has really been deleted and even if you are given proof, you can not know if the data has been sold to third parties. You are relying on the word of a thief, which is obviously insufficient.
  2. The second, because although they have stolen your data (data you have collected and stored), it is not actually your information, it is not your company’s accounts, nor your internal emails; it is the information of people who have shared it with you so that they have access to your platform, and that must always be taken into account.
  3. The third is that you are indirectly promoting this kind of criminal acts. If those thieves have stolen your data and have obtained money, they will continue to do so by attacking other companies to obtain a benefit.
  4. And finally, as in any criminal act, the first step should have been to notify the competent authorities. Nowadays there are more and more authorities that have specialized divisions for these cases, where authentic experts are dedicated to pursuing these criminals.

– As discussed in the previous point, you are responsible for storing the data of your customers, so, by the time you realize this data is no longer protected, your first task should be to notify your customers, since that data leak can, depending on the data that has been stolen, generate other attempts to extort or steal from them. We are not going to detail which is the ideal method to make a statement of this type, but in this article, you can find some tips that will be of great help if you come across this problem. In the case of Uber, it took them one year (!!!!) since the leak occurred until it was made public. During that time, customer data has wandered around the network without control, possibly passing from hand to hand among criminals who may have been using it for other criminal purposes.

– In addition to being morally responsible for notifying your customers, you are also legally responsible for notifying the competent authorities. In many countries there are (or are being implemented) laws that regulate the procedures for companies that have had a security problem regarding data stolen, so that when a company is aware that it has suffered a data theft, it legally has to notify the competent organizations. Failure to do so is a crime, for which the company can be fined and those responsible for it charged. And here again Uber did what should never have been done, since at that moment they were being investigated by a previous data leak and did not want to divulge that information for fear that the knowledge of this would do even more damage to the other investigation, for which in the end they were prosecuted.

As you can see, throughout this article we have never used the word “hackers” to refer to people who have stolen information from Uber (or any other company). This has a very simple explanation, and that is that the Word hacker is currently being used as a synonym for computer delinquent, something that can not be further from reality. This distinction is important, because at some point a hacker may contact your company to notify you that he or she has detected an important security problem, he or she will give you more information, and that it is urgent. This person is not going to try to extort you, he will not divulge that information and he will not try to do anything bad to your company. Make things easier for them, help them as much as possible (this is what Tesla is doing), do not treat them like a criminal and thank them when the problem is solved.


Article written by Luis Cuervo, Security Manager at Barbara IoT.