Jeremiah Grossman, Chief of Security Strategy at SentinelOne says: “Who needs exploits when GitHub exists? Github is a major source of risk for companies. It's difficult, if not impossible, for an organisation to lock down this vector. Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed. While traditional security controls remain crucial to organisational security, it's no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.
As consumers, we can do everything we can to maintain the security and privacy of your data on your devices. But what good is it if thousands of companies have access to your data and they get hacked? It feels like a no-win situation. Organisations like Uber have a social responsibility not only to do their best to protect the data they control, but to be transparent with their users about the risks to their identity. How an organisation responds to a breach is what really separates the good from the bad, and some handle the situation far better than others in prioritising what’s in their customers best interests. Kudos for Uber’s new CEO to come clean on the events of the past, but it still doesn’t immediately absolve the company's actions.”
Ken Spinner, VP of Field Engineering at Varonis comments: “One of the reasons often cited for why these massive data breaches keep happening is that the penalties aren’t incentivising companies to adequately protect their data. When GDPR kicks in next May, companies that handle EU citisen data will be faced with much stiffer penalties and a 72-hour disclosure window. To give perspective: under GDPR-level penalties, Uber could be fined up to $650,000,0000 for this breach (4% of their $6.5 billion revenue number for 2016). That’s a far cry from what we’re seeing now: they were breached in 2014 and fined $20,000 by the state of NY – not a deterrent at all for a company that makes billions of dollars.
The breach, at this point, could have resulted from a single point of failure. All it took was one developer making a mistake by checking a password into GitHub. Why does that password unlock so many sensitive records? These kinds of slip-ups are frequently surfaced during internal pen tests or third-party security audits. This point of failure raises the question: are Uber employees required to use 2FA for key applications like GitHub? Many attacks nowadays originate from compromised credentials; businesses need to ensure that hacking one employee’s account doesn’t unlock such a wide array of sensitive data.
This latest breach du jour is going to fire up already angry consumers, who are going to demand action and protection. Every state attorney general is going to be salivating at the prospect of suing Uber. While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made - often it’s when a set number of users have been affected. No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year. This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”