The information below was sent to the IT Security Community via email on November 28, 2017.
The recently revealed data breach and cover-up at Uber is a reminder to all of us of two things:
- The importance of reporting suspected IT security incidents.
- The need to protect credential sets and pay attention to where they are stored
Report Actual and Suspected IT Security Incidents
The personal data of 57 million Uber customers and drivers was stolen in October 2016, yet Uber failed to report the breach to regulators as required. Instead, Uber paid the data thieves $100,000 to keep the breach a secret. By doing so, Uber may have violated U.S. state and federal laws, as well as laws and regulations in other countries, to say nothing of violating best practices in breach reporting.
Not only do we value transparency and openness at the University of Michigan, we have policies and guidelines to back that up. If you suspect or are aware of an IT security incident, you must report it. This is required by Information Security Incident Reporting (SPG 601.25).
Information Assurance stands ready to investigate and help coordinate the incident to ensure that the university complies with laws and regulations. It is far better to report a suspected IT security incident that turns out to be a false alarm than it is to neglect to report a suspected incident that turns out to be serious.
The data thieves were able to exploit Uber’s network because Uber uploaded software code to GitHub that mistakenly included credential sets. GitHub is a development platform that allows IT professionals to collaborate and develop software code. It is intended to enable collaboration and should not be used to store passwords, access tokens, private keys, or other credentials.
Please remind developers in your unit to exercise great care when using shared development platforms.
- Never upload credentials to public services that may be accessed by non-authorized individuals.
- Keep careful track of credentials to prevent accidentally including them when storing or sharing files. See, for example GitHub's Removing sensitive data from a repository.
- If you add credentials to code to allow automated access to privileged data or services, carefully restrict how and where that credential-laden software is shared.
- Also pay attention to any logging of that data or of transactions that use it.
Thank you for all you do on a daily basis to protect the university.
- The Uber data breach has implications for us all (Financial Times, 11/27/17)
- Mexican authorities seek information from Uber about data breach (Reuters, 11/26/17)
- Uber is sued over massive data breach after paying hackers to keep quiet (The Washington Post, 11/24/17)
- Five state attorneys general are investigating Uber breach (Engadget, 11/24/17)
- Uber Hack Shows Vulnerability of Software Code-Sharing Services (Bloomberg, 11/22/17)
- Uber Paid Hackers to Delete Stolen Data on 57 Million People (Bloomberg, 11/21/17)
- Regulators to press Uber after it admits covering up data breach (Reuters, 11/21/17)
- Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data (The New York Times, 11/21/17)
- Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach (Wired, 11/21/17)
- GitHub secret key finder released to public (ZDNet, 1/9/17)
- Secrets in the code (GitHub, 2013)