What Uber Might’ve Done to Prevent Compromising the Personal Info of 50,000 Drivers
Posted March 6, 2015
Andreas Baumhof, ThreatMetrix’s CTO, Explains How a Holistic Approach to Security Might Well Have Made All the Difference
Shoulda, coulda, woulda can’t help the 50,000 past and present Uber drivers whose personal information (names and driver’s license numbers) was compromised in the company’s recent breach. However, Andreas Baumhof offers a practical approach that could help prevent a future recurrence and help other companies avoid a similar lapse in security.
In his article on scmagazine.com, Adam Greenberg tapped Baumhof and Steve Hultquist, chief evangelist at RedSeal for answers. His article has been edited to fit our format. You may find Greenberg’s complete piece by clicking on this link.
Enough compromised information for ID theft
“Names and driver’s license numbers are two key elements of verification of personal identity,” Hultquist said. “Combined with other information that could be gained by social engineering or by existing breaches, theft of personal identities is possible.”
Very valuable information
Andreas Baumhof, CTO of ThreatMetrix, [noted] that personally identifiable information (PII) increases in worth when more pieces of data related to a single individual are obtained.
“[If] I know your name and your associated email and then the associated address and then the associated credit card number and now the license plate, the information gets more valuable.” He went on to explain, “One reason is the use of knowledge-based authentication is still quite heavy (even by banks) where they ask you some questions that only you should know (e.g. what’s your license plate number?) to do a 2nd factor authentication.”
What they knew and when they knew it
Uber stated that a single instance of unauthorized access to one of its databases occurred on May 13, 2014. The company explained that it discovered the potential access on Sept. 17, 2014, and immediately changed the access protocols for the database.
How the breach might have occurred
“Given the information that Uber has shared, it seems likely that the breach came from the unauthorized use of an existing database access account,” Hultquist said. “The other likely option is access via a database system vulnerability, but that doesn’t seem indicated by the report.”
Baumhof’s comprehensive approach to protecting data
To prevent these types of incidents from occurring in the future, Baumhof said that a holistic approach needs to be considered. He explained that internal systems need to be restricted and secured, and access to data needs to be protected using context-based and behavioral approaches.
Uber’s John Doe Suit
According to the statement, Uber has filed a “John Doe” lawsuit so it can “gather information that may lead to confirmation of the identity of the third party.” The Register reported…that Uber subpoenaed GitHub so the latter company would turn over the IP addresses of visitors to a particular gist, which is believed to have contained a login key used to access the Uber database.