Historic Hacks of the 2010s, Part 2

Written by Calvin Harper

Published: 29 July 2019

Page 1 of 2

Earlier this year, we revisited hack attacks from the infancy of the internet era, and then from the 2000s. Now we're moving forward in time to the immediate past and the present, where no hack is too big to conceive of.

Hacking has come a long way since an irate Nevil Maskelyne punked Guglielmo Marconi in 1903. We hear almost daily of data breaches that expose hundreds of thousands, if not millions of personal records.

The frequency of breaches and their associated costs of remediation are increasing. According to a study by IBM Security and the Ponemon Institute, an average data breach exposes 25,500 personal records and costs organizations $3.92 million to clean up. In addition to lost time and money, a breach can also irreparably damage a company’s reputation — Yahoo! comes to mind.

The good news is that private businesses of all sizes are aware of the need to up their cybersecurity and are taking appropriate steps. Some are doing so preemptively, others unfortunately only after suffering a hack.

Governments at all levels are following suit, but typically lagging behind private industry in their level and speed of response. By their nature, governments are bureaucratic, functioning in a sea of red tape. Throw in poor cybersecurity practices, complex legacy systems and scarce resources and it is easy to see why they are falling behind.

The primary victims of the war between hackers and cybersecurity professionals are everyday people.  On an individual level, they bear the yearslong burdens and costs of repairing credit ratings and reclaiming identities. Justifiably angry at data breaches, they are demanding that elected officials take action.

Unfortunately, while government can play an important role in cybersecurity through regulations and policies, its involvement can easily create additional problems in the balance between freedom and security. As Benjamin Franklin knew, it is a difficult thing to do.

Most people agree that businesses that fail to protect personal data should be accountable, but how much. As the following hacks show, the desire of elected officials to “solve” data breaches has the potential to open a Pandora’s Box of excessive burdening on business and overly punitive punishments for C-level executives guilty of nothing more than being outwitted by cybercriminals.

Uber (2016)

Uber Technologies, Inc. the multinational transportation network company best known for peer-to-peer ridesharing went public earlier this year. Marketing its shares at $45 apiece, the company raised an impressive $8.1 billion.

The company’s current market value is north of $82 billion — not bad for an organization that, two years earlier, endured a seemingly endless litany of bad publicity stumbling from one scandal to another. In January 2017, the company dealt with the viral #DeleteUber campaign for profiting during the New York City taxi drivers’ work stoppage.

February 2017 found them handling claims of company-wide sexual harassment. And finally, in March, they were exposed for deceiving authorities in cities where Uber was not allowed to operate, and cheating drivers out of millions of dollars.

What really made 2017 a downer, however, was news of a data breach from the year before. In October 2016, hackers accessed Uber’s GitHub account and pilfered data containing usernames and password credential to Uber’s Amazon Web Services account. The breach exposed unencrypted names, email addresses and mobile phone numbers of 57 million users of the Uber app as well as the drivers license numbers of 600,000 Uber contractors.

While the hack was damaging enough, it was management’s response that really hurt the company — an absolute dumpster fire. Under existing data breach notification statutes, the only way for a company to have direct liability for a breach is to not give notice of it happening, which is exactly what Uber did.

After Bloomberg News reported the breach, Uber’s management hurried to play catch-up, publicly admitting the intrusion. When asked why they did not alert the public to the breach on their own, management sheepishly admitted they had paid the hackers $100,000 for a promise to destroy the stolen data with no way to verify that they would so. Uber even went so far as to bury the hundred-grand expense in their financial statements by labelling it a “bug bounty” fee.

Aftermath: Uber reached a $148 million settlement with 50 state attorneys general and fired their Chief Security Officer, Joseph Sullivan, for concealing the breach and paying the ransom. CEO Dara Khosrowshahi issued the obligatory apology acknowledging the breach and cover-up and declaring, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

The Federal Trade Commission (FTC) mandated that Uber undergo onerous third-party audits for the next 20 years and provide records of its bug bounty reports relating to vulnerabilities in their consumer data.

Public knowledge of the hack hit at the worst time possible for Uber, as it was deep in negotiations to sell a large stake in the company to Softbank. The initial valuation of the company at that time had been $68 billion. When the deal closed a month later, valuation had fallen sharply to $48 billion.

Comments are closed.