In another self-inflicted blow, ride-hailing startup Uber Technologies Inc. has fired its chief security officer after it was discovered that he hid details of a hack in 2016.

Worse still, the executive paid the hackers $100,000 behind it to delete the data and keep the breach quiet. Uber Chief Executive Dara Khosrowshahi said today that the hack involved “two individuals outside the company” who “inappropriately accessed user data stored on a third-party cloud-based service that we use.”

The theft of records included names and drivers license numbers of about 600,000 Uber drivers in the United States along with the personal information of 57 million Uber users worldwide, including names, email addresses and mobile phone numbers. Khosrowshahi added that the company does not believe trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded by the hackers.

Khosrowshahi, who said he was only recently made aware of the incident, confirmed that the hackers had been identified and had given “assurances that the downloaded data had been destroyed.” Moreover, he added, “effective today, two of the individuals who led the response to this incident are no longer with the company.” According to Bloomberg, one of those two people was fired and the mastermind behind the scheme was CSO Joe Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi concluded. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Commenting on the hack, Mike Kail, chief technology officer at CYBRIC Inc., told SiliconANGLE that the hackers appeared to have accessed a private GitHub code repository used by Uber engineers and used login credentials obtained there to access data stored in an Amazon Web Services Inc. account. “If true, this is another exhibit of extremely poor security hygiene and lack of overall, continuous security visibility into core assets,” Kail said. “This is even more egregious given the fact that it was concealed for over a year, and will undoubtedly not help Uber’s already tainted reputation.”

Sophos Group plc Principal Research Scientist Chester Wisniewski added that Uber’s breach demonstrates once again how developers need to take security more seriously and avoid embedding or deploying access tokens and keys in source code repositories.

“I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a coverup,” Wisniewski said. “Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments,” he added, referring to a speedier form of software development common today.

Stephan Chenette, chief executive officer and co-founder of AttackIQ Inc., said that the Uber hacking story should be a wakeup call to enterprises of all types. “Organizations that do not actively search for protection failures will more than likely find themselves victims of cybercrime such as Uber,” Chenette said. “What makes this breach particularly damning is the failure of Uber to ethically disclose the breach to its customers. This is another epic failure.”

There are ways to prevent hacks like these, said Manoj Asnani, Balbix Inc.‘s vice president of product and design. “Stolen passwords are one of the most common ways adversaries propagate through the enterprise to steal critical data,” he said.

While noting that most security solutions do not provide visibility into breach risk from password reuse, Asnani said that “predictive security solutions can look at the password behavior of users – including sharing of passwords across personal and corporate use – and flag that risk. With this kind of a solution, Uber would have been able to see developers sharing the same passwords for Github and AWS accounts and taken action to prevent this breach.”

Photo: Pexels