A Canadian and an American were behind the huge 2016 hack of Uber Technologies customer data, the company’s CISO told a U.S. Senate sub-committee Tuesday.
“I understand that the original individual was located in Canada, and that his partner, who actually obtained the data, was in Florida,” John Flynn said in a prepared statement to senators. “I further understand that the attribution team made contact with both individuals and received assurances that the data had been destroyed.
“As you know, Uber paid the intruders (US)$100,000 through HackerOne and our bug bounty program. Our primary goal in paying the intruders was to protect our consumers’ data. This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”
The breach was only discovered Nov. 14, 2016 when Uber’s security team received emails from an anonymous person who claimed to have accessed personal data and demanded a
six-figure payment. Within 24 hours, investigators realized the data came from back-up files stored in a password-protected AWS S3 bucket. “We learned that the intruder
found the credential contained within code on a private repository for Uber engineers on GitHub, which is a third party site that allows people to collaborate on code,” Flynn testified. “We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder. Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours.”
But after paying the “bug bounty,” Uber stayed silent on the breach and didn’t notify customers. It was only several months later, after new leadership had taken over, that the CEO learned of the breach and hired an outside firm to investigate. It found the stolen data included information on approximately 57 million users worldwide, including approximately 25 million users in the United States and 8,000 in Canada.
For nearly all users, Flynn said, the downloaded files included names, email addresses and phone numbers. In some cases, the information also included information collected from or created about users by Uber, such as Uber user IDs, certain one-time locational information (e.g., the latitude and longitude corresponding to the location where the user first signed up for the Uber service), user tokens, and passwords encrypted using hashing and salting techniques. Of the driver accounts, approximately 600,000 thousand included driver’s license numbers. There was no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were stolen, he added.
Still, the incident didn’t come to light until November, 2017, 11 months after the company knew about it.
Flynn repeated CEO Dara Khosrowshahi’s apology and said “it was wrong not to disclose the breach earlier. The breach should have been disclosed in a timely manner. The company is taking steps to ensure that an incident like this does not happen again, with personnel changes and additional remedial actions. We are working to make transparency and honesty core values of our company.”
“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company. The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed. While the use of the bug bounty program assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure, at the end of the day, these intruders were fundamentally different from legitimate bug bounty recipients.”
Among moves to increase security, the company no longer allows developers to use GitHub except for posting items like open source code. It has also expanded the use of multifactor authentication protocols for AWS service accounts. and it has hired Matt Olsen, a former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help structure the security team and implement new security processes.
According to Security Week, Flynn’s boss, Uber chief security officer, Joe Sullivan, and in-house lawyer Craig Clark were fired over their roles in the breach.