Uber Takes Cloud Security For A Ride

Cloud security has had a rough ride of it recently, and this past week its driver was the $68bn global transportation company, Uber.

Earlier this week, it was revealed that the personal details of Uber’s 57 million drivers and had been stolen back in 2016. The company then made matters worse by not reporting the breach to international data regulators, and instead paid the perpetrators $100,000 to delete the sensitive files and cover up the incident.

However, Uber’s failure to disclose the breach goes beyond non-adherence to best practice and journeys into the realm of the unethical. With such a large amount of sensitive data at stake, Uber was certainly obliged to report the breach immediately. It is no wonder then that it has made headlines and incensed both customers and legal authorities internationally.

This is not the first time Uber has driven into a security and PR storm, though. Back in 2015 a breach with a similar cause was disclosed a year after it was originally discovered. The cause then, and on this occasion, was elementary and easily avoidable.

How The Attack Happened

As well as using GitHub to store source code, the programmers at Uber had used a GitHub repository to upload security credentials, the keys to Uber’s servers hosted on Amazon. All it then took was for the hackers to find the keys and drive off with ‘the car’.

The Check Point blog describes further how the attack happened and how it could have been avoided.

Of course, cloud computing is the modern world of IT. It offers companies, much greater agility and enables them to deliver applications at a fraction of the cost and time. However, the shared responsibility model is a policy that must be adopted to ensure customer data is stored securely in the cloud by both the cloud provider, and the organization using it. In this way, companies can avoid being the next one to be taken for a ride.