NOTICE: Uber breach is reminder to report IT security incidents & protect credentials

Tuesday, November 28, 2017

The information below was sent to the IT Security Community via email on November 28, 2017.

The recently revealed data breach and cover-up at Uber is a reminder to all of us of two things:

  • The importance of reporting suspected IT security incidents.
  • The need to protect credential sets and pay attention to where they are stored

Report Actual and Suspected IT Security Incidents

The personal data of 57 million Uber customers and drivers was stolen in October 2016, yet Uber failed to report the breach to regulators as required. Instead, Uber paid the data thieves $100,000 to keep the breach a secret. By doing so, Uber may have violated U.S. state and federal laws, as well as laws and regulations in other countries, to say nothing of violating best practices in breach reporting.

Not only do we value transparency and openness at the University of Michigan, we have policies and guidelines to back that up. If you suspect or are aware of an IT security incident, you must report it. This is required by Information Security Incident Reporting (SPG 601.25).

Information Assurance stands ready to investigate and help coordinate the incident to ensure that the university complies with laws and regulations. It is far better to report a suspected IT security incident that turns out to be a false alarm than it is to neglect to report a suspected incident that turns out to be serious.

Protect Credentials

The data thieves were able to exploit Uber’s network because Uber uploaded software code to GitHub that mistakenly included credential sets. GitHub is a development platform that allows IT professionals to collaborate and develop software code. It is intended to enable collaboration and should not be used to store passwords, access tokens, private keys, or other credentials.

Please remind developers in your unit to exercise great care when using shared development platforms.

  • Never upload credentials to public services that may be accessed by non-authorized individuals.
  • Keep careful track of credentials to prevent accidentally including them when storing or sharing files. See, for example GitHub's Removing sensitive data from a repository.
  • If you add credentials to code to allow automated access to privileged data or services, carefully restrict how and where that credential-laden software is shared.
  • Also pay attention to any logging of that data or of transactions that use it.

Thank you for all you do on a daily basis to protect the university.