News

The latest from the Black Country 

Uber Data Breach is a Lesson in Using Cloud Technology

Susan HallUber has admitted suffering a huge data breach in 2016 affecting 57 million users and drivers. The taxi giant concealed the breach and paid the hackers $100,000 to delete the data.

Susan Hall, a Partner and specialist lawyer in intellectual property and information and communications technology at national firm Clarke Willmott LLP, says the breach and the method of the hack is a lesson to be learned.

Susan said: “The news that Uber suffered a substantial data breach last year, and subsequently concealed it from regulators and those affected is very worrying indeed but what I find the most important and interesting aspect of this is how the breach arose.

“Hackers accessed Uber’s private development area within GitHub, an online resource for developers - they essentially went in through the tradesman’s entrance.

“From here they were able to obtain authentication and login details for Uber’s Amazon Web Service (AWS) account, a cloud computing service used by Uber to store data for back-office software development. Once into AWS the hackers accessed a large cache of

hosted driver and customer data and then blackmailed Uber with the threat to release this data.

“There is a huge issue there and this particular method of hacking – a back office hack - is an important lesson in the dangers of using Cloud computing for IT development. There are two glaringly obvious questions – why was it possible to access Uber’s AWS account at

all via its GitHub, and why was development apparently being carried out using ‘live’ rather than dummy data?

“While the common weakness in most hacks is the human factor, it’s tempting to think of this as unsophisticated users falling vulnerable to people with much greater technical knowledge. This does not seem to have been the case here. It seems more likely to be a

case of Uber’s IT developers being careless and making use of short cuts which exposed the company to the kind of security risks which occurred here.

“I imagine Amazon Web Service may be looking at enforcing its own terms of use against Uber: typically a hosting services provider puts the onus on its customers to safeguard its logon information and passwords. AWS are presumably also looking to see whether this

hack might have been used as a bridgehead for further attacks on other AWS customers.

“By concealing the hack and paying off the hackers Uber breached US laws which require notification of people who are the victim of data compromises (similar laws will come into the UK in May 2018).

“Furthermore, they impeded the ability of other organisations caught up in the hack to check how far their own systems had been compromised.”

Susan Hall is ranked in Chambers Band 2 for intellectual property and listed as recommended in three practice areas by Legal 500.  

Clarke Willmott LLP was established in 1888 and has offices in Birmingham, Bristol, Cardiff, London, Manchester, Southampton and Taunton. For more information about Clarke Willmott visit www.clarkewillmott.com

News Categories


We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.

I accept cookies from this site

EU Cookie Directive Plugin Information