Data accessed on 5/13/2014, uber noticed on 9/17/2014, and then notifies affected on 2/27/2015. Thankfully it was only names and plate numbers, but still...
All I see from uber is bad publicity and poor management decisions. I wonder what it's like to work there from an insiders perspective, cause from the outside it doesn't look good.
It sounds like they realized the API was improperly exposed on 9/17/2014, but didn't necessary know if it had ever been accessed by an unauthorized request.
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
I'm not defending them on this because that does seem to be a long enough time to be more proactive about it. You did bring up an interesting point though, Uber is facing opposition from almost every city they are in. Whether it's small town South Carolina where I'm from and even in some of the largest cities in the world. It would be interesting to see how people deal with this on the inside and how it affects the culture.
Early 2014, you could see the drivers home address, cell phone number, ESN for their phone, the car(s) they had on their account's VINs... list goes on and on...
Congress needs to stop pissing in the wind and make a federal law on breach disclosure. Self evidently companies won't universally do this on their own, and state specific law makes compliance more difficult and expensive.
As much as Uber messed up here and there was a security breach, comparable information is publicly available. For example, the TLC in NYC provides this:
This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn't much beyond what might otherwise be available publicly.
In Massachusetts the driver's license number used to be your social security number. This was changes but are there other states that have not done so?
Uber really needs to have a public data retention policy stating that they anonymize or delete all data older than a couple weeks. I'm just waiting for them to be hacked and have to reveal that people's trip data for years has been released.
> Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert
My ID has been breached twice in other, unrelated incidents. Each time these ID protection companies want to know my SS# and all sorts of other stuff. My heart skips a beat imagining them scraping the web for my SS# and CC# in an otherwise well intentioned effort. I've refused their services and insist they only provide the insurance policy associated with this.
I see a lot of comments about security, but would be happy to bet this was simple social engineering and "human hacking". It's sobering to see large-ish companies that give full read access (and sometimes write) of customer and financial data to interns, fresh grads and new contractors for expediency. Young people are cheap. $500 is a new computer or weeks of food to an indebted student.
Management usually doesn't care, revenue and convenience trump security; until of course something bad happens, which is why older institutions have draconian access standards, meetings to discuss who has the right to know about the meeting to determine the access list management program (true story) and so on.
Nothing in the press release hints at an actual attack. "An unauthorized third party accessed our database, and we immediately changed the password" sounds like they realized one of their competitors hired an intern to get them a login.
Last year Uber was using Backbone and the JSON returned to the client included ALL information about the drivers you have used for trips including home address, phone number, etc. I wonder if this has something to do with that?
You could also use an auth token from the Android app and snoop around other users if you knew some info about them, which you could if you had access to a driver's phone (I did/do).
And depending on the state, you can find out the driver's birthday, or even if their real name is different from what is listed on their profile. The site at [0] shows how many states use soundex coding and modulus arithmetic to encode driver's license numbers with PII.
I'd be keen to see if every driver's info aligns with the license number (for those states that use encoding systems that embed PII into the number).
I find it unlikely they have a database explicitly for driver names/license plates. Unless it was some flat-file dump compromised. I'm curious how much data was really obtained. If only 50k were truly stolen, it could be a shard too. The lack of technical details is sketchy to me
I also find it unlikely it's just the name and license number. They used to return all of a driver's information (name, phone, address, drivers license, license plate, etc) from the rest endpoint they were using on their website. They closed that hole it after it we disclosed it to them.
Why does sec get breached? Marketing wants easy access to all data, that's it. Big Data / deep learning wants easy access, lots of data is in transit. Security is not convenient for operations, therefor companies have sec on paper and audits and stuff but no real sec.
The free one-year membership of Experian’s® ProtectMyID® Alert is genius, its giving away something that costs them nothing (presumably Experian are using this as a marketing opportunity) as if it's a real step in the right direction to make up for the data leak.
I work in info sec, and in one of the "Who's Hiring" posts a few months ago (do we still do those? I haven't seen one in a while) I asked "why are startups never hiring security guys?", because I never see a security engineer position open in those topics. I never got a response. To me that indicates the response is "we don't".
Listen, guys. I don't care how small you are. If you are handling PII or credit card data or anything that, if leaked, would harm your business or your customers, you need a security guy. Not a programmer who knows some security stuff. Not a manager who checks off the online PCI self-assessment. Not "we outsource to an MSSP". At least one security guy, full time. Make sure that everything you do is run past that person. If you're so busy that you can't run everything past that person, hire another.
It's not a joke. Stop fucking ruining people's lives. It's 2015, four years past "the year of the breach" [1]. Get with the program. It's not okay to have a breach. It's not. It doesn't matter how much money you saved from not having a security guy or the tools they need. Get someone who knows what they're talking about and listen to them.
Just like they all need a dedicated network engineer, or a dedicated storage engineer, or a dedicated "whatever" engineer? Losing data is unacceptable too right? I'm not saying security people are not necessary, but there are a lot of not dedicated "whatevers" that can handle "whatever" sufficiently. Coupled with security audits, which in my experience leave a LOT to be desired speaking as a not dedicated "security" engineer(I know of a few areas where I'd like to shore up but they never come up on security audits, hmmm), this is often sufficient. Besides, don't you figure Target, Home Depo, EA, and Sony had dedicated security people?
Again, this is not arguing against security guys.. It's just this post reads a bit like "Well, if they were only hiring people like me maybe this wouldn't have happened".
> It's not okay to have a breach. It's not. It doesn't matter how much money you saved...
If only this were true, they would be hiring security people.
Nothing is going to change until companies are held accountable for the damages caused by negligence. If someone in the infosec field wants to make a difference, I'd reckon their best bet is lobbying to make this happen.
> It doesn't matter how much money you saved from not having a security guy or the tools they need.
It's the only thing that matters. It's capitalism. Those who waste money on unneccessary expenses get outcompeted by those who don't. Unless you find a way to make companies financially responsible for crappy security, they won't care. Right now breaches like these seem to be more like free advertising (a typical user will just read "something something Uber something hacked" and next week will just have a vague sense Uber was mentioned in the news).
Serious, legit question here. How many lives will be ruined by this breach of 50k? How many lives were ruined when 40 million CCs and 70 million accounts (address, phone number , etc) were stolen in the Target breach?
Ruin seems like an awfully strong word here. I hesitate to say that because I don't want to downplay the importance of security. But to take security seriously I think we also have to be non-hyperbolic about the consequences of not doing so.
I mostly agree, but the calculation is different for different businesses.
The costs of engineering time and hiring a security professional may be much more expensive than the lost business due to breaches.
In this particular case they likely have enough resources to have made it happen, but it remains to be seen whether this will actually cost them much if anything.
I totally agree. I used to work in Info-sec back in D.C. before I moved out to San Francisco and I would always joke with my D.C. buddies that San Francisco cares about product first, security later. Most people in SF are so wrapped up around which framework is the coolest hottest thing and have no idea about anything related to security until it's too late.
I would always complain about being 2-5 years behind in terms of technology stacks when I lived in D.C., but we were always a lot more careful about deployment decisions and extremely serious about data security. That mentality is ingrained in me until today so I always think about security. Unfortunately; it's not in the minds of a lot of people.
I don't think these breaches are going to stop until something really serious happens or until there are some serious negative legal consequences for data breaches. Sadly, it's up to consumers to try and sort out which companies have the best practices and that's not always apparent.
If you look at the actual impact to companies by breaches like this, it's almost the same impact that Google, Apple, and Microsoft faced after the PRISM leak - hardly perceptible to revenue. What does happen though obviously is a lot of opex expenditures to deal with it all, and that's where companies are getting squeezed oftentimes in the usual behemoth dysfunctional megacorp landscape.
I'm gung-ho about security as much as you but the truth is that users hardly stop using a service after data breaches. The ones that do matter though are like the ones that delete all your AWS instances and custom AMIs when holding your company's assets for ransom. That is what startups should be worried about indeed (as well as enterprises that are transitioning more of their IT into cloud environments that can be scripted and automated much easier - makes it easier for attackers in theory too).
Agreed, but these guys aren't small, they're fucking huge, so they really don't have an excuse. They possibly still have the startup culture of growing quickly and worrying about the details (e.g. security) later.
I generally agree with the main thrust of your argument, but this seems way over the top. I don't know if every brick and mortar business in the world can afford to hire a dedicated security engineer. Should they all just close shop?
And if we're going by Wikipedia's definition of PII, probably at least 50% of the websites in the world. Including this one.
Maybe you don't mean all that, but if I am to take what you posted at face value, it seems insanely irrational.
I completely agree with you, but sadly, this kind of thing will never happen until there is a strong incentive for those companies to hire dedicated security people. Right now it's standard for companies to apologize and give people a year of credit monitoring.
It's become such a common issue there is no incentive to invest in security and that's a bad thing.
This is anti-competitive, and regressive, it helps the big guns. Imagine big companies shutting down small ones because they don't have dedicated security staff. We need companies with working security to outsource this service, for example for storing records.
[+] [-] therobot24|11 years ago|reply
All I see from uber is bad publicity and poor management decisions. I wonder what it's like to work there from an insiders perspective, cause from the outside it doesn't look good.
[+] [-] skuhn|11 years ago|reply
I could see it taking a while to find one bad request in the entire history of the API's lifespan -- presuming that they had to find the logs, weed out false positives, different sites and versions that behaved differently, etc.
That still doesn't explain a 5 month gap. The only (charitable) explanation that makes sense to me is that they discovered the API was exposed, thought they had proven it was never improperly accessed, and then only much later realized that it had been after all.
[+] [-] joshmlewis|11 years ago|reply
[+] [-] joe_the_user|11 years ago|reply
[0] https://news.ycombinator.com/item?id=9122369 [1] http://blog.uber.com/2-27-15
[+] [-] leereeves|11 years ago|reply
A charitable interpretation might be that they discovered a vulnerability in September, but didn't find the May breach until recently.
[+] [-] joshmn|11 years ago|reply
[+] [-] Vintila|11 years ago|reply
[+] [-] inmyunix|11 years ago|reply
[+] [-] discloser|11 years ago|reply
[deleted]
[+] [-] nathanmock|11 years ago|reply
[+] [-] anseljh|11 years ago|reply
Civil Code § 1798.82(a): http://leginfo.legislature.ca.gov/faces/codes_displaySection...
I find it hard to square that requirement with Uber waiting 5 months from when it found out.
[+] [-] cmurf|11 years ago|reply
[+] [-] ryan_j_naughton|11 years ago|reply
http://www.nyc.gov/html/tlc/downloads/excel/current_medallio...
This is a spreadsheet containing all the taxi drivers in NYC with their names, license numbers, and license expiration dates. Given that the only information leaked (according to Uber) were names and license numbers, that really isn't much beyond what might otherwise be available publicly.
[+] [-] eddiezane|11 years ago|reply
[0] http://blog.uber.com/2-27-15
[+] [-] sschueller|11 years ago|reply
[+] [-] jheriko|11 years ago|reply
the number of f*cks i can give for the company is so low. just feel sorry for all the drivers with the leaked information...
[+] [-] berberous|11 years ago|reply
[+] [-] logn|11 years ago|reply
My ID has been breached twice in other, unrelated incidents. Each time these ID protection companies want to know my SS# and all sorts of other stuff. My heart skips a beat imagining them scraping the web for my SS# and CC# in an otherwise well intentioned effort. I've refused their services and insist they only provide the insurance policy associated with this.
[+] [-] Karunamon|11 years ago|reply
[+] [-] louwrentius|11 years ago|reply
They are happy enough if their systems actually work and run. That's enough for them.
This incident won't cost Uber anything. It won't matter to them. A few appologies here and there and that will be the end of it.
Maybe, maybe there is some trivial fine to pay, but that will be a rounding error on their balance sheet.
[+] [-] crdb|11 years ago|reply
Management usually doesn't care, revenue and convenience trump security; until of course something bad happens, which is why older institutions have draconian access standards, meetings to discuss who has the right to know about the meeting to determine the access list management program (true story) and so on.
Nothing in the press release hints at an actual attack. "An unauthorized third party accessed our database, and we immediately changed the password" sounds like they realized one of their competitors hired an intern to get them a login.
[+] [-] seanmccann|11 years ago|reply
[+] [-] joshmn|11 years ago|reply
[+] [-] spdustin|11 years ago|reply
I'd be keen to see if every driver's info aligns with the license number (for those states that use encoding systems that embed PII into the number).
[0] http://www.highprogrammer.com/alan/numbers/index.html
[+] [-] martin_|11 years ago|reply
[+] [-] froseph|11 years ago|reply
[+] [-] imnewhere|11 years ago|reply
[+] [-] MBlume|11 years ago|reply
[+] [-] bobofettfett|11 years ago|reply
[+] [-] codewithcheese|11 years ago|reply
[+] [-] chambo622|11 years ago|reply
[+] [-] anseljh|11 years ago|reply
[+] [-] coldcode|11 years ago|reply
[+] [-] freehunter|11 years ago|reply
Listen, guys. I don't care how small you are. If you are handling PII or credit card data or anything that, if leaked, would harm your business or your customers, you need a security guy. Not a programmer who knows some security stuff. Not a manager who checks off the online PCI self-assessment. Not "we outsource to an MSSP". At least one security guy, full time. Make sure that everything you do is run past that person. If you're so busy that you can't run everything past that person, hire another.
It's not a joke. Stop fucking ruining people's lives. It's 2015, four years past "the year of the breach" [1]. Get with the program. It's not okay to have a breach. It's not. It doesn't matter how much money you saved from not having a security guy or the tools they need. Get someone who knows what they're talking about and listen to them.
[1] http://news.softpedia.com/news/IBM-2011-is-The-Year-of-the-S...
[+] [-] Rapzid|11 years ago|reply
Again, this is not arguing against security guys.. It's just this post reads a bit like "Well, if they were only hiring people like me maybe this wouldn't have happened".
[+] [-] jjoonathan|11 years ago|reply
If only this were true, they would be hiring security people.
Nothing is going to change until companies are held accountable for the damages caused by negligence. If someone in the infosec field wants to make a difference, I'd reckon their best bet is lobbying to make this happen.
[+] [-] TeMPOraL|11 years ago|reply
It's the only thing that matters. It's capitalism. Those who waste money on unneccessary expenses get outcompeted by those who don't. Unless you find a way to make companies financially responsible for crappy security, they won't care. Right now breaches like these seem to be more like free advertising (a typical user will just read "something something Uber something hacked" and next week will just have a vague sense Uber was mentioned in the news).
[+] [-] forrestthewoods|11 years ago|reply
Serious, legit question here. How many lives will be ruined by this breach of 50k? How many lives were ruined when 40 million CCs and 70 million accounts (address, phone number , etc) were stolen in the Target breach?
Ruin seems like an awfully strong word here. I hesitate to say that because I don't want to downplay the importance of security. But to take security seriously I think we also have to be non-hyperbolic about the consequences of not doing so.
[+] [-] mh_|11 years ago|reply
This problem might just be a little more complex than we are giving credit for..
[+] [-] imnewhere|11 years ago|reply
The costs of engineering time and hiring a security professional may be much more expensive than the lost business due to breaches.
In this particular case they likely have enough resources to have made it happen, but it remains to be seen whether this will actually cost them much if anything.
[+] [-] joeblau|11 years ago|reply
I would always complain about being 2-5 years behind in terms of technology stacks when I lived in D.C., but we were always a lot more careful about deployment decisions and extremely serious about data security. That mentality is ingrained in me until today so I always think about security. Unfortunately; it's not in the minds of a lot of people.
I don't think these breaches are going to stop until something really serious happens or until there are some serious negative legal consequences for data breaches. Sadly, it's up to consumers to try and sort out which companies have the best practices and that's not always apparent.
[+] [-] devonkim|11 years ago|reply
I'm gung-ho about security as much as you but the truth is that users hardly stop using a service after data breaches. The ones that do matter though are like the ones that delete all your AWS instances and custom AMIs when holding your company's assets for ransom. That is what startups should be worried about indeed (as well as enterprises that are transitioning more of their IT into cloud environments that can be scripted and automated much easier - makes it easier for attackers in theory too).
[+] [-] damian2000|11 years ago|reply
[+] [-] sbov|11 years ago|reply
And if we're going by Wikipedia's definition of PII, probably at least 50% of the websites in the world. Including this one.
Maybe you don't mean all that, but if I am to take what you posted at face value, it seems insanely irrational.
[+] [-] oskarth|11 years ago|reply
Target paid $1.2 BILLION in dividends on $21.8 BILLION sales for 2014, its data breach only cost it $162 Million. Cost of doing business.
From https://twitter.com/spacerog/status/570719734230073344
[+] [-] faitswulff|11 years ago|reply
[+] [-] eeeeeeeeeeeee|11 years ago|reply
It's become such a common issue there is no incentive to invest in security and that's a bad thing.
[+] [-] bobofettfett|11 years ago|reply
Why does sec get breached? Marketing wants easy access to all data, deep learning wants easy access, lots of data is in transit.
Security is not convenient for operations, therefor companies have sec on paper and audits and stuff but no real sec.
[+] [-] frozenport|11 years ago|reply
[+] [-] mrwarn|11 years ago|reply