TLDR; This is a rather long one, so will give you the option of TL;DR or to skip ahead if you wish.
Uber was in the headlines in November 2017 for disclosing the details of a data breach they suffered in October 2016. The data breach contained a significant amount of personally identifiable information on their drivers and riders; they did not inform the affected persons their information had been released, they negotiated with the hackers to delete the data and tried to cover up the breach entirely.
The Information Commissioners Office (ICO) detailed that 2.7 million UK citizens had their personal data stolen in the breach. They, along with the National Cyber Security Centre have released information for those affected.
For a bit of Sunday reading I am analysing why Uber failed so badly in regards to this breach and what we can learn from it in the wake of the General Data Protection Regulation, which will come into effect in May 2018. I have also included a positive data breach case study; Bupa Global, and what we can learn from their successes in regards to GDPR compliance.
Personally Identifiable Information (PII):
Unless you have been living under a rock recently, you will have heard the term PII, or Personally Identifiable Information. It is everywhere. Organisations are worried about it. Should I be worried about it? What exactly is it?
To give a brief overview, PII is also known as ‘personal data’. It is any information that can relate to a specific person which includes but is not limited to: name, personal identification numbers (social security, passport, driving license), personal address, personal telephone, personal characteristics (such as photo), biometric data, personally owned property details and asset information (such as IP or MAC address).
There are other types of information which by themselves do not constitute as PII as they could apply to more than one person, such as: date of birth, place of birth, race, religion, geographical information, employment information and non-personalised medical information, to name a few. However, any of this information linked with a name, for example, would constitute as PII.
DPA 1998 vs. GDPR:
Under the Data Protection Act 1998 and prior to the GDPR, the responsibility of data protection lay with the data controller; now under the GDPR the processor will be placed under direct obligation to comply with certain data protection requirements. A data processor is any 3rd party organisation who processes information on behalf of the controller, thus leaning heavily on regulating the cloud service providers and 3rd party hosting organisations.
With the main difference being Data Processors now share the responsibility of holding personal data, it seems bizarre that GDPR has made such a splash in the headlines for the past 2 years; it’s only an update on our Data Protection Act which has been in place since 1998… Ah there is another difference, under GDPR an organisation can be fined up to 4% of their global annual turnover or €20m, instead of the current maximum which is £500,000.
With organisations viewing data protection as part of their risk assurance, the risk has now wildly gone up due to the repercussions of high fines after failure to comply. The threat of insolvency from data breaches will become oh so real, thus organisations are starting to take very serious notice.
If you are interested in the regulation side of things, take a look at the 6 principles of GDPR.
Uber: Data Breach October 2016
The hack:
Bloomberg outlines the attack in detail; Uber software engineers use the service GitHub, a coding site engineers use to share and analyse code together. Two attackers compromised the GitHub account and found log-in credentials to Uber’s Amazon Web Services (AWS) account. The attackers were able to access the AWS undetected and discovered an archive of rider and driver information.
Information stolen:
A total of 57 million rider and driver’s details were stolen, see the breakdown of the PII included below:
50 million riders:
- Name
- Email address
- Phone number
7 million drivers:
- Name
- Email address
- Phone number
- Driver’s License details (600,000 drivers)
Uber specified that no Social Security numbers, credit card information, trip location details or other data were taken.
In a worst case scenario and this information was out there, it could be used in targeted phishing attacks on the riders and for the drivers, identity theft and credit card fraud. This is why organisations are obligated, under Data Protection law, to disclose the information of the breach to the people directly affected and to the ICO.
The cover up & reveal:
Uber decided not to inform either riders, drivers or the ICO in this case, and took matters into their own hands. They sought out the attackers and paid them $100,000 to delete the data and keep quiet. Of course, nothing stays secret forever and in the appointment of Uber’s new Chief Executive Officer Dara Khosrowshahi, he knew that disclosing the breach, even if one year overdue, would fare them better in the long run than it being disclosed later down the line.
To quote Uber’s full statement written by Dara:
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,”
“None of this should have happened, and I will not make excuses for it,”
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
How would Uber fare under GDPR:
There has been huge backlash from Uber’s statement and as you can imagine the ICO were not best pleased. James Dipple-Johnstone, ICO Deputy Commissioner said:
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.”
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Taking the Fortune 2016 revenue figure for Uber at $6.5 billion and the ICO’s maximum 4% fine; Uber could have been fined $28 million for this breach alone. $28 million, that is significant.
A positive case study: The Bupa Breach
In July 2017 Bupa Global experienced a data breach of personal information and in contrast to Uber they handled it somewhat differently.
In a statement released by Bupa they outline the details of the breach; an employee of the international health insurance division had copied and removed 108,000 policy details which includes over half a million personally identifiable information such as names, dates of birth, nationality, contact details and administrative information. This information was then uploaded to the Alpha Bay on the Dark Web in the hope of selling to the highest bidder.
Although the information released does not include financial or medical information, the PII included could be used in spear phishing attacks via email or via phone and has value to attackers.
There are a few key security flaws this highlighted in Bupa’s set up:
- A lack of Data Loss Protection (DLP) mechanisms which would have stopped the copying and removal of such a vast set of data;
- If it was extracted via USB then USB ports should have been disabled.
However, there have been comments online by the major news providers that Bupa handled the situation very well, they released a formal statement almost immediately and they contacted every policy holder to warn of the data leak and the potential phishing attacks which could follow. The employee who extracted the data only had the access rights to view the lowest level of information and did not have access to the sensitive PII. This indicates Bupa Global have implemented a security access structure for the personal data and only allow access to employees who require it for their job role.
If we assume two things; firstly they satisfy the requirements of the legal basis for collecting and storing the data, and secondly we assume the best from the information we have available; their responsibilities with data protection are:
- Implement data protection policies
- Satisfied: They have proved policy implementation due to the controlled access rights of the disgruntled employee only having access to the lowest level of PII.
- Adhere to codes of conduct; International and national standard to prove compliance
- Satisfied: They dealt with the situation very well, all people affected were informed, they made a public statement, they are taking legal action against the employee and they are changing their internal policies and technical implementation as a result of this breach.
- Implement technical and organisation measures
- Maybe satisfied, maybe not: From the information we know it seems unlikely that allowing employees to extract large amounts of data undetected is as secure as their system could be. DLP systems should be implemented.
With all considered, apart from not having a DLP system in place (or effectively enough in place), can we come to the conclusion they would satisfy Data privacy regulations and be compliant in the eyes of the Information Commissioners Office? My answer would be yes. Well done Bupa.
What have we learned from the failures of Uber and successes of Bupa?
If we assume that both organisations implemented sufficient technical and logical security controls to protect their systems in line with their current security policy, then that side of the regulation has been fulfilled. The difference in these two case studies is how the breach was handled. Like your driving test; if you can convince the examiner you are competent, address when you have made a small mistake, correct it and they feel safe with you in the car, you will pass. In the same vein, if the Information Commissioners Office agrees that you protected yourself to the best of your ability and a breach still occurred, it’s the handling of the breach to minimise the damage which is assessed.
Failures happen, they should be praised and we should use these situations to learn how not to deal with data breaches in the future.
Zoe Mackenzie 