What does a $31m loss and Uber have in common?
Busy week in hackerland as old cover-ups come to light and new incidents pile in...
Hackers have issued somewhat of a wake-up call for several businesses this week, two of the most emphatic being to oft-controversial personal transportation company Uber and Tether, a cryptocurrency startup.
The two companies lost the personal information of 57 million users and drivers, and nearly $31m in cryptocurrency respectively.
The Uber breach allegedly occurred back in 2016, and involved “two individuals outside the company” who “accessed user data stored on a third-party cloud-based service that we use,” according to the company’s chief executive Dara Khosrowshah.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals”, he said in a blog post. Widespread media reports claim that the steps involved a payment to the hackers of $100,000 (£75,500) to delete the data and keep the breach secret.
Ilia Kolochenko, CEO, High-Tech Bridge said: “Speaking about the legal side of the breach, it will likely bestow on Uber a wide spectrum of lawsuits in different jurisdictions and quite painful sanctions."
“As per publicly available information, Uber was insecurely storing customers’ data in a breach of existing best practices and compliance requirements. This internal malfunctioning is likely to be at the origin of the breach. Failure to disclose the incident in a timely manner also indicates imperfect internal security policies and procedures. Per se, names and emails leakage is not very dangerous, however the stolen data may be used in advanced spear-phishing attacks and cause an irreparable damage to the victims.”
"I think the most important now is to ascertain that the alleged scope of the breach is not mistakenly underestimated or deliberately concealed. Uber is a very attractive target for professional hackers, from Black Hat mercenaries to nation-state groups. The uncovered incident may be just a tip of the iceberg.”
The breach itself may prove the least of Uber’s worries, as the UK’s data watchdog was quick to make clear as it confirmed that UK resident’s data was involved.
"It's always the company's responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.
“Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics”, said James Dipple-Johnstone, ICO Deputy Commissioner in a statement.
Meanwhile, in another corner of the internet the Tether team have been working frantically to isolate and contain an attack that transferred $31 million worth of Tether's US dollar-backed tokens to an ‘unauthorised’ account.
Kolochenko continued: “High profits are unavoidably accompanied by high risks and dangerous pitfalls. Omitting fundamental questions of cryptocurrency reliability, many startups with great ideas significantly underestimate and ignore their own cybersecurity imperiling their business. We will likely see more disastrous breaches where many inexperienced investors into “digital gold” will lose their savings.
“Every investor shall properly enumerate and assess the risks related to a particular technology and especially to a cryptocurrency. If you don’t know how quickly you can exit back to cash, how the currency can be regulated, manipulated or impacted by a hack – you’d better find another digital asset to invest into, such as intellectual property.”
Interestingly, one online sleuth has been interrogating the blockchain records and claims to have found links to an older attack on bitcoin exchange Bitstamp.
The earlier attack netted the hackers $5m, after a lengthy and ingenious phishing campaign allowed them to compromise internal systems, plant malware and ultimately access Bitstamp’s wallets and to divert some 18,000 bitcoins.
Of course, even adding up the blockchain evidence, the trail runs cold as to the real-world identities of the hackers, at least for the moment.