Uber’s Security Breach Linked to Two Key Vendors: Lessons Learned

November 29, 2017

It’s no secret that Uber has had some challenges come to light in the past couple of years. From driver misconduct to leadership crumbling to an uproar about surge pricing after a London terrorist attack, the company has certainly faced some major issues — and customers haven’t held back in sharing their opinions about what they think. The company has made some drastic changes to its model and even hired a new CEO, Dara Khosrowshahi, who is shaking things up. Unfortunately, though, one of those “shake ups” brought about a new problem: a massive data breach that was covered up for over a year.

2017 has been chalk full of cybersecurity meltdowns. Equifax, Yahoo, WannaCry, Cloudbleed, and even exposed voter records topped the list of the biggest disasters we’ve seen in 2017 (so far — we still have a month to go). Hardly a week or two pass by without some new security threat, virus, or cybersecurity hack taking over the news. And, thanks to the massive adoption of new SaaS and cloud-based tools across enterprises of all sizes, it’s doubtful those stories will slow down anytime soon.

Many of these cybersecurity disasters are caused by third party vendors inadvertently compromising data, or unknowingly allowing it to be compromised. Take these statistics for example: 67% of companies don’t inventory their vendors or what information they are accessing, according to a recent Ponemon Institute© Research Report. But according to Trustwave, 63% of data breaches are linked to third parties in some way.

Uber’s breach is no exception. In this article, we’ll take a look some of the lessons that you can learn from this attack and tips for how to prevent third party vendor security issues at your organization.

The Uber Data Breach Facts

In October 2016, Uber experienced a massive breach to its system, which compromised personal and identifiable information for both drivers and passengers, affecting some 57 million individuals. The data compromised included approximately 600,000 driver license numbers for U.S. drivers.

Rather than confront the situation head on and inform customers, drivers, investors, and the general public, Uber decided to pay hackers $100,000 to keep the situation quiet.

So how did the breach happen? A Bloomberg report says the attack occurred “because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers.” While one of the causes of attack as explained by Bloomberg seems to be the improper handling of login credentials, their report also reveals that two key vendors were directly utilized in facilitating the attack. As we have discussed previously, it is more and more common for breaches to be directly linked to access to a vendor’s system — and this is no exception.

Lessons to Learn From Uber’s Mistakes

Unfortunately for Uber, many things are wrong with this scenario. We could go on and on about what Uber should have done once they discovered the breach, but the purpose of this article is to focus on what we can learn about preventing a security disaster like this in the first place.

As third parties can pose major security issues, it’s imperative to have a proper vendor security assessment process in place to not only catch problems before a vendor is signed as a partner, but to continue the assessment process and monitor red flags throughout the entire lifetime of the partnership — including what type of information can be stored on vendor systems. While we don’t have insight into the specifics of Uber’s vendor assessment process, it’s important for all organizations to follow these steps:

  1. Create a Vendor Inventory List: Your company should create a complete list of all vendors and their services to understand the risks associated with its third party vendors. In Uber’s case, this list would have included the partnerships with AWS and GitHub.
  2. Know What Informations Vendors Are Able to Access: Another critical step is to prepare for and minimize risk by having a thorough understanding of what sensitive information or applications vendors can access. This data can inform the restrictions you put in place on your third party relationships and the level of scrutiny these relationships undergoe.
  3. Design an Assessment Process That Matches The Risk Level of Each Vendor: You should ask questions of each of your vendors to ensure their policies and procedures abide by industry-acceptable best practices.
  4. Build An Ongoing Process to Gather Vendor Information and Data Access: Whenever someone at your company purchases a new software, the Information Security team should be involved in the procurement process — no exceptions. It only takes one incident for the entire organization to be exposed to an outside threat. While AWS and GitHub are recognizable companies that the Uber team likely had visibility into, it leads us to wonder how many other vendors doing business with Uber might carry similar risks.

Prevent Similar Third Party Vendor Breaches

By following the vendor assessment steps outlined above, your Information Security team can be confident in the third party vendor relationships your organization enters into. Without arming yourself with data and a thorough understanding of what information can be accessed by each vendor, your organization could be setting itself up for a similar issue. Let the Uber case study be a lesson to all enterprises that you can never be too safe when it comes to third party vendors — even when they seem to be rock solid and reputable.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

eBooks:

Why Third Party Security is Critically Important

Product Demo:

Request a Live Demo with a Whistic Product Specialist

cybersecurity risk assessment vendor management cyber risk management it risk management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close