This week, we discuss Uber’s cover-up of a 2016 breach that compromised 57 million drivers’ and customers’ personal information, the theft of almost $31 million worth of USDT and more than €100,000 worth of Bitcoin, and good news for victims of Western Union transfer scams.
Hello and welcome to the IT Governance podcast for Friday, 24 November 2017. Here are this week’s stories.
The controversial ride-sharing company Uber admitted this week that it covered up a massive data breach last October instead of notifying regulators and those affected as required by law. Two attackers managed to access a GitHub site used by Uber, where they found login credentials that they then used to access an Uber Amazon Web Services account, where they found the personal information of 57 million customers and drivers around the world, including names, email addresses, mobile phone numbers and driving licence details.
In a statement released on Tuesday, Uber’s CEO, Dara Khosrowshahi, who has only been in the job for a couple of months, said:
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Just to clarify, according to Bloomberg, which broke the story on Tuesday, Uber obtained those ‘assurances’ that the data had been destroyed by paying the attackers US$100,000.
“None of this should have happened,” Khosrowshahi continued, “and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
One of the first of those decisions? Sacking two of the people responsible for handling the incident – including the company’s chief security officer, Joe Sullivan.
It’s not yet known how many UK customers were affected by the incident. The Deputy Information Commissioner, James Dipple-Johnstone, said: “As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers [of UK citizens affected] and what kind of personal data may have been compromised. […] It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.” (And we all know how much they’ll be when the GDPR comes into effect next May.)
It almost makes Equifax’s data breach response look good. Almost.
You’ll remember that a couple of weeks ago I mentioned the cock-up at Parity that saw US$280 million worth of Ethereum being frozen – apparently by accident. Well, that’s by no means the only instance of cryptocurrency going astray. Last weekend, Tether announced that nearly $31 million worth of USDT had been transferred from the Tether Treasury wallet and sent to an unauthorised bitcoin address “through malicious action by an external attacker”. (USDT, for those who haven’t heard of it, is a digital asset tied – or tethered – to the value of the US dollar, backed by actual currency that Tether holds in a reserve bank account, the idea being that users are thereby protected from the volatility of other cryptocurrencies. USDT is issued on the bitcoin blockchain via the Omni platform. You can find out more about it via Tether itself, if you want to.)
According to its blogpost, Tether “will not redeem any of the stolen tokens, and [is] in the process of attempting token recovery to prevent them from entering the broader ecosystem.” […] If you receive any of the stolen USDT tokens, “do not accept them, as they have been flagged and will not be redeemable by Tether for USD”.
Bitcoin’s value dropped sharply following the incident, but bounced back soon afterwards to a high of $8,339 according to Bloomberg.
Bitcoin itself isn’t safe either, of course. Austrian police this week reported that thieves stole more than €100,000 (£89,000) worth of bitcoin from a 36-year-old’s account while he was logged into an unsecured public Wi-Fi network. According to a police statement: “An unknown perpetrator probably got himself through a ‘fake network’, accessing the man’s laptop, and transferred all the bitcoins to an unknown, non-traceable account. Whether the unknown perpetrator until this or earlier at an earlier date procured access to the laptop of the victim, is not known. The 36-year-old suffered damage in the lower six-digit euro range.” (Thank you, Google Translate.)
Finally, good news for anyone who’s been scammed into wiring money to fraudsters via Western Union. Graham Cluley writes on Tripwire that, “As part of a deal with the US Justice Department and Federal Trade Commission (FTC), Western Union has now agreed to pay more than half a billion dollars (an eye watering $586 million) to individuals who lost money via Western Union money transfer scams between January 1, 2004 and January 19, 2017.”
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.