Year and Location of Breach : 2016, USA
Impact : 57 million Uber users and 600,000 drivers
Introduction : Uber Technologies Inc. is a peer-to-peer ridesharing, food delivery, and transportation network company headquartered in San Francisco, California, with operations in 633 cities worldwide. Its platforms can be accessed via its websites and mobile apps. However, in 2016, two hackers were able to get the names, email addresses, and mobile phone numbers of the 57 million users of the Uber app. They also got the driver license numbers of 600,000 Uber drivers. Uber as an organisation, instead of notifying affected drivers and users within time, paid hackers to delete data quietly. These irresponsible act attracted lawsuit from Pennsylvania Attorney General Josh Shapiro, for violating data breach notification law.
Reason : Uber had its database stored on Amazon Web Services(AWS). However, the username and password to the Uber’s AWS account was stored on Uber’s GitHub account. GitHub is a popular, online code-repository service based on the open-source version control system. The hackers were able to access the Uber’s GitHub account. Uber stated that their username and data was encrypted. But, GitHub stored the database in PostGres database. PostGres has a well-known potential weakness relating to "key disclosure issues" when encrypting database fields. Intruder found the credential [for AWS] contained within code on a private repository for Uber engineers on GitHub.
Solution : Uber removed its username and password from the GitHub. GitHub changed its programming interfaces that can be used to provide direct access to databases. GitHub made multi factor authentication recommended.
References:
[2]https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
No comments:
Post a Comment