Cloud security has had a rough ride of it recently, and this past week its driver was the $68bn global transportation company, Uber.
Earlier this week, it was revealed that the personal details of Uber’s 57 million drivers and had been stolen back in 2016. The company then made matters worse by not reporting the breach to international data regulators, and instead paid the perpetrators $100,000 to delete the sensitive files and cover up the incident.
However, Uber’s failure to disclose the breach goes beyond non-adherence to best practice and journeys into the realm of the unethical. With such a large amount of sensitive data at stake, Uber was certainly obliged to report the breach immediately. It is no wonder then that it has made headlines and incensed both customers and legal authorities internationally.
This is not the first time Uber has driven into a security and PR storm, though. Back in 2015 a breach with a similar cause was disclosed a year after it was originally discovered. The cause then, and on this occasion, was elementary and easily avoidable.
How The Attack Happened
As well as using GitHub to store source code, the programmers at Uber had used a GitHub repository to upload security credentials, the keys to Uber’s servers hosted on Amazon. All it then took was for the hackers to find the keys and drive off with ‘the car’. In this case, the ‘car’ was driving license details, along with many other personal records of Uber’s international customers, including names, email addresses and phone numbers – none of which was encrypted, or protected by anything more than a username and password.
As discussed on this blog earlier this year, these breaches would be less common if companies took the shared responsibility model more seriously and adhered closer to cloud security best practices.
How The Breach Could Have Been Prevented
There are several ways Uber could have prevented this attack. By using two-factor authentication, which GitHub now provides, an extra layer of security would have prevented the hackers from logging into their account. The use of SSH keys and the separation of login details and code would also have reduced the risk. In addition, access could have been limited by implementing an SDP (software-defined perimeter) approach to their data itself. This would have leveraged multiple identification factors to ring-fence data that the hackers wanted to see, and thus making a breach far less likely.
Of course, cloud computing is the modern world of IT. It offers companies, much greater agility and enables them to deliver applications at a fraction of the cost and time. However, the shared responsibility model is a policy that must be adopted to ensure customer data is stored securely in the cloud by both the cloud provider, and the organization using it. In this way, companies can avoid being the next one to be taken for a ride.
Check Point’s Cloud Security Solution
Check Point vSEC compliments native cloud security controls to ensure customers can fulfill their shared security responsibilities. With Check Point vSEC, customers can secure their workloads and applications running in cloud environments, minimizing threats from breaches, data leakage as well as zero-day threats. Check Point vSEC provides comprehensive threat prevention security, access, identity, strong authentication, compliance reporting and multi-cloud connectivity to help organizations embrace the cloud with confidence.