Companies using the public cloud get better security than if they store data themselves thanks to economies of scale — but Uber’s massive data breach shows there’s still a lot to do.

Ride-sharing firm Uber suffered a data breach in October 2016 that exposed the personal data of 57m customers and drivers.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Related Company Profiles

View all

Uber hid the incident for more than a year — until it was reported by Bloomberg in November this year — allegedly convincing the perpetrators to delete the stolen data and conceal the incident in exchange for a $100,000 bounty.

Uber’s covering up of the breach was shocking and resulted in the termination of its chief information security officer and several other top cyber security managers.

But Uber could have prevented the breach by doing just a few things.

Like many companies, Uber uses GitHub — a cloud-based version-control repository to manage and share software code.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Uber’s code, however, contained its username and password to Uber’s Amazon Web Services account, where Uber had stored sensitive user and rider data.

This sort of mistake — hard-coding credentials into or alongside software code — happens constantly, and has led to numerous breaches of web applications and cloud services.

Yet any number of cloud security controls could have prevented or limited the damage:

  • Had Uber successfully taught its developers not to hard-code credentials, or used code-scanning to identify such mistakes during the development process, the keys to the AWS account never would have been stored on GitHub.
  • Had Uber segmented its data more judiciously, it could have avoided storing such a large volume of sensitive data in a single AWS account.
  • Had multifactor authentication been enabled for the compromised account, attackers would not have been able to breach it without both a password and access to a secondary device.
  • And even if it failed in all of those opportunities, had Uber encrypted the data stored in the cloud, it still could have avoided the incident because the data would have been useless to the attackers that found it.

Uber should have learned these lessons before: it experienced a nearly identical incident in 2014 that exposed data on 100,000 drivers and avoided a fine, ironically, by promising to improve its security.

While the cloud can be as secure as any other IT resource, but it won’t secure itself. Companies that fail to learn this lesson risk following in Uber’s footsteps.