Uber Fined for Covering Up 2016 Data Breach

The UK's Information Commissioner's Office (ICO) and its corresponding data protection authority in the Netherlands (Autoriteit Persoonsgegevens), announced their decision to fine Uber for the data compromise in October 2016. The penalties are £385,000 and €600.000, respectively.

According to ICO, the hack impacted about 2.7 million Uber users in the UK. To this, records of almost 82,000 drivers are added, which included details about the rides and payment received. For its part, the Dutch Data Protection Authority (DPA) reports that the breach leaked details of 174,000 Dutch citizens.

The attackers were able to steal the data by gaining illegal access to Uber's Simple Storage Service (S3) buckets from Amazon Web Services and downloaded a total of 16 files.

This was possible through credential stuffing, ICO says in its penalty notice to the company.
As a result of its inquiries, UK's ICO believes that the hackers obtained the S3 access credentials from a private GitHub repository belonging to Uber US. They logged into the GitHub account with a username and password collected from a previous data breach. The method is called 'credential stuffing' and exploits the bad practice of recycling the same password for other online accounts.

This method yielded great results as the hackers were able to identify GitHub accounts of 12 Uber employees in the US.

Post a Comment