Uber has had a difficult year. It took another hit last week with the news that it had covered up a data breach that occurred more than a year ago.
The breach itself occurred in October of 2016, and compromised the personal information of 57 million customers and drivers around the world. Names, email addresses, phone numbers, and driver’s license numbers (for drivers) were stolen by the hackers. Fortunately, more sensitive information such as credit card numbers, social security numbers, and other were not accessed.
Adding insult to injury, Uber paid the hackers USD $100,000 in order for them to delete the data instead of reporting the incident to the authorities. Not only is failure to report a breach in a timely manner against the law in many states, it is also an act of complete disrespect for the rights of Uber’s users to know how their data is being handled.
So, how did the hack occur? Digital thieves broke into the accounts of two Uber engineers on a third-party cloud-based website, and were able to obtain passwords for accounts with access to user and driver information.
The most important thing to note here is that, using just passwords that they found online, the hackers were able to break into Uber’s systems and access stored data. The single-factor authentication that Uber was using at the time made it incredibly easy for hackers to break in. Had multi-factor authentication been in place, the hack would have been significantly more difficult, if not impossible, for the attackers to carry out.
This attack is a prime example of the urgent need for companies to protect their own systems in order to protect their end users and sensitive data. Though the attack occurred on the platform of a third-party data storage provider, Uber is nonetheless responsible, and will ultimately have to answer to their end users and shareholders. By not sufficiently protecting their computer systems, Uber left their customers, who trust the company to protect their data, at risk.
In addition to the legal ramifications that the company will likely face, Uber’s brand is reputation was left significantly damaged by this episode. There are many other ride-sharing apps on the market, and it is likely that many end users will decide to move their business to what they see as a more data-secure competitor.
Organizations looking to avoid breaches such as this one, that cause immense financial and reputational loss, should ensure that their systems can only be accessed by authorized persons. Multi-factor authentication that goes beyond simple passwords into factors such as biometric recognition technology, mobile software tokens, and push authentication, will be doing themselves a favor by keeping their data and brand out of the hands of hackers.
For more information on Easy Solutions’ authentication solution, visit our page on DetectID for Enterprises.