Uber has been fined by the UK DPA for UK sterling 385000/- (Approx Rs 3.5 crores) for failing to protect its customer’s data during a breach.
The breach occurred in November 2016 when GDPR notification was in place and UK was part of EU. It involved a Cyber attack on a US server of Uber maintained by Amazon Cloud service which was compromised and about 2.7 million accounts of UK citizens with names, email addresses and cell phone numbers of the users having been potentially accessed.
In US, Uber had reached an agreement with all the 50 states to pay a compensation of $140 million (approx Rs 1017 crores) for the same breach.
The ICO’s notice indicates that the attackers acquired the credentials for access to the cloud server by accessing a private repository of codes on GitHub by a trial and error based method akin to a brute force attack on a combination of user name and password. (Credential Stuffing).
Uber paid a ransom to the attackers amounting to US $100000, which they treated as a “Bug Bounty” payment and then introduced additional security to change the keys.
From the incident it appears that the user name and passwords used by 12 Uber employees on the GitHub which was available in a code in plain text was first accessed and the combination tried on the Amazon cloud server. Since the same username-password combination was used by the employees on the Amazon account, the attackers were able to access the cloud server.
The decision may appear erudite but it must be debated whether this incident indicted a “Negligence” on the part of Uber and if so, the extent of such “Negligence”. Was the security otherwise used was “Reasonable”.
Once a breach has happened, any amount of security appears inadequate. The regulator has to ideally put itself in the shoes of the Company and evaluate whether under the circumstances in which the storage was designed, the security was adequate. The regulator should avoid penalizing the business entity with the benefit of hindsight and demonstrate its power to penalize.
Further to take objection to how Uber treated the payment to the attackers whether it was “Bug Bounty” or “Ransom” was perhaps beyond the scope of the authority of ICO. It could have avoided treading into this domain which could have been an accounting necessity. It could have been dictated by the insurance coverage needs. The procedure for bug bounty not having been adopted is an matter which is of no concern to ICO.
It appears that ICO exceeded its boundaries in this respect which may be indicative of a bias with which the decision of penalty could have been arrived at.
It is also strange to observe that ICO has placed a disincentive on the Company’s right to appeal (by offering a discount if appeal is not resorted to) which may not be entirely legal.
This was a case fit for a nominal fine meant to flag a kind of attack against which companies need to guard against.
The lesson to be drawn from the incident is that “Users should not use the same user ID- Password Combination” across different services.
This will now become a new paragraph in the Password policy of every organization.