Don’t you just love living in a “connected” world?
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year.
This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company said Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
“None of this should have happened, and I will not make excuses for it,” Dara Khosrowshahi, who took over as CEO in September, said in an emailed statement. “We are changing the way we do business.”
After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. The company was also sued for negligence over the breach by a customer seeking class-action status.
Hackers have successfully infiltrated numerous companies in recent years. The Uber breach, while large, is dwarfed by those at Yahoo, MySpace, Target Corp., Anthem Inc. and Equifax Inc.
I wish I could say that older, more mature businesses are better about protecting their customer’s data, but the Equifax debacle shows that isn’t true.
I see it as a quality problem. Right now, we have fresh-out-of-college programmers who are building the security equivalent of the Ford Pinto. Mostly because they don’t know any better (inexperience), but also because management is demanding ever-greater number of features in ever-shorter timeframes. Something’s gonna give, and usually it’s security.
This is also relevant:
http://brucefwebster.com/2008/04/15/the-wetware-crisis-the-themocline-of-truth/
All this data collection for mostly trivial interactions is going to be the end of identity. These idiots in Silly-Con valley blow off privacy protection because they don’t think about security. In fact, they don’t think about what they’re doing at all. There’s really not much need for retaining data after a transaction other than maybe the date, time and amount for accounting. Basically the information printed on a receipt. Throw away the “who” part of a record and the accountants and manager types can still figure out everything they need to know. Use the “where” part of a record for planning forecasts if needed, but keep that data separate from everything else and again, strip out as much as practical -for example use first digits of the house number and street instead of the whole house number.
But the problem is companies like Uber don’t “code” any of that low level stuff. These companies don’t want to have to start from scratch all the time. They buy packages of software. In the same way that Excel has more features than any one person will ever use, these packages try to be all things to all customers and throw in the kitchen sink when it comes to data collection. Even though a company might not want or need to keep all that data, it is being collected by the package. If the software guys don’t specifically toss out the data (or more likely managers decide someone might need it someday) there it sits on a server somewhere.
This would all be fine if Uber followed the HIPAA compliance rules for data retention. But that costs money. Lots and lots of money that a startup probably doesn’t have. Hell, even Apple dances around HIPAA compliance with their Healthkit data collection, and Apple is the most profitable company on Earth. And having the HIPAA sticker on your server doesn’t necessarily mean it still isn’t vulnerable. After all, HIPAA is a product of Uncle, not Brinks. All a health care company has to do is show they made an honest effort at compliance and they’ll be off the hook.
Now when your company gets a hit and has millions of customer records, it’s time to upgrade. Writing new software from scratch is a Herculean effort. And if the old stuff still works, well, why break it? So programmers just add on another layer to fix the complaints. After all, hardware is cheap and just throwing more at old software will make it run faster anyway. Now they have billions of transaction records, all of which have extra unnecessary data.
And then it happens. Some idiot in accounting or marketing decides they need access to run a report. They have a “ch@ng3m3” password. Or they click on a link that allows for remote desktop management. Or they “need” to log in from home 3 days a week because “well Rodger gets to work from home, so I should be able to too.” And instead of having very specific rights applied, or the rights management is set up to keep idiots from trashing the database instead of limiting access to the data in the database, anyone who gets into the system can pretty much get what they want, which is read only access, low level authorization type stuff. And remember that package that started all this? Well, just like thieves know that most people keep the gun safe in the master bedroom, the hackers know exactly where all the data is kept because they’ve seen it before. They can pull a smash-and-grab before anyone notices.
I don’t know what the answer to all this is. The problems are far to complex for my simple mind to grasp. The first gut reaction of course is that “we need a law,” but all that means is that Uncle will just make it worse. Figuring out the price for personal data is a good start, although the only way you can calculate a price is if there’s a market. There is a market, of course, but it is one created by Uber and we’re not allowed in. Otherwise many of us would just buy our data ourselves. And again, there’s going to be a record of who buys that data, so we end up right back to where we started. They say that’s the power of the bitcoin blockchain stuff, but that’s probably much worse because that makes everything public.
I got way too deep into this for a car blog… Sorry.
Canned subroutines go back to the days of FORTRAN doing engineering calculations. So that in and of itself isn’t a huge thing.
Basically privacy has gone from something that was passively there to something that requires active defense.
True, but back in the days of Fortran there was a pretty big air gap between personal data on a server and China…