Companies using the public cloud get better security than if they store data themselves thanks to economies of scale — but Uber’s massive data breach shows there’s still a lot to do.
Ride-sharing firm Uber suffered a data breach in October 2016 that exposed the personal data of 57m customers and drivers.
Uber hid the incident for more than a year — until it was reported by Bloomberg in November this year — allegedly convincing the perpetrators to delete the stolen data and conceal the incident in exchange for a $100,000 bounty.
Uber’s covering up of the breach was shocking and resulted in the termination of its chief information security officer and several other top cyber security managers.
But Uber could have prevented the breach by doing just a few things.
Like many companies, Uber uses GitHub — a cloud-based version-control repository to manage and share software code.
Uber’s code, however, contained its username and password to Uber’s Amazon Web Services account, where Uber had stored sensitive user and rider data.
This sort of mistake — hard-coding credentials into or alongside software code — happens constantly, and has led to numerous breaches of web applications and cloud services.
Yet any number of cloud security controls could have prevented or limited the damage:
- Had Uber successfully taught its developers not to hard-code credentials, or used code-scanning to identify such mistakes during the development process, the keys to the AWS account never would have been stored on GitHub.
- Had Uber segmented its data more judiciously, it could have avoided storing such a large volume of sensitive data in a single AWS account.
- Had multifactor authentication been enabled for the compromised account, attackers would not have been able to breach it without both a password and access to a secondary device.
- And even if it failed in all of those opportunities, had Uber encrypted the data stored in the cloud, it still could have avoided the incident because the data would have been useless to the attackers that found it.
Uber should have learned these lessons before: it experienced a nearly identical incident in 2014 that exposed data on 100,000 drivers and avoided a fine, ironically, by promising to improve its security.
While the cloud can be as secure as any other IT resource, but it won’t secure itself. Companies that fail to learn this lesson risk following in Uber’s footsteps.