Incident Details
Uber suffered data breaches in 2014 and 2016, where attackers obtained access to an unencrypted file with user information by using keys from Uber's GitHub repositories.
Incident
How Did the Breach Happen?
In 2014, an attacker found an access key in a public GitHub repository, while in 2016, attackers used stolen GitHub credentials to access an AWS key in a private repo.
What Data has been Compromised?
In 2014, names and driver's license numbers of over 100,000 users, and in some cases bank accounts and routing numbers, were downloaded. In 2016, personally identifiable information of over 57 million users, including driver's license numbers, was compromised.
Why Did the company's Security Measures Fail?
Uber failed to employ sufficient access controls, such as requiring distinct AWS access keys and mandatory multifactor authentication for GitHub, thereby allowing access through reused credentials.
What Immediate Impact Did the Breach Have on the company?
Uber was fined $148 million for concealing the breach, underwent a Federal Trade Commission (FTC) investigation, and Uber's Chief Information Security Officer was convicted for obstruction.
How could this have been prevented?
Implementing key rotation policies for AWS, enforcing distinct access keys, requiring multifactor authentication for GitHub, and not reusing credentials could have prevented the breaches.
What have we learned from this data breach?
The importance of robust security measures, transparency in reporting breaches, and adherence to regulatory requirements were highlighted, along with the potential consequences for failing to protect user data.
Summary of Coverage
Uber's breaches exposed the personal data of millions of users and led to significant legal and financial consequences for the company due to poor security practices and mishandling of the aftermath.