What happened: The Uber Hack

Last week it came to light that Uber bosses had covered up a massive breach in the company’s security. It was revealed that customer data had been stolen in October 2016, Uber then paid the ransom of $100,000 to retrieve the data. The key point about this incident is the fact that Uber chose to keep it private. Users were not made aware of the breach. The names and driving licence numbers of 600,000 drivers in the US were taken, along with names, email addresses and phone numbers of 57 million user accounts globally.

Uber requested that the hackers sign a non-disclosure agreement, and then disguised the ransom payment as a ‘bug bounty’. This is where organisations reward ethical hackers for revealing weaknesses in their security systems so that they can then fix them.

The cover-up occurred under previous management, implicating the company’s former CEO Travis Kalanick and Chief Security Officer, Joe Sullivan. Joe Sullivan has been forced to leave the company following news of the hack coming to light. Travis Kalanick has already left, leaving current CEO Dara Khosrowshahi to deal with the aftermath.

According to California State Law, where Uber is based, organisations are required to notify users in the event of a data breach. Uber has released a statement, explaining who was affected in the breach and the steps they have taken to improve their security. They say they are in the process of notifying the drivers who were affected. You can contact Uber from your account to check if your information was accessed.

What you should do to avoid the risk of your business being hacked?

Check your security measures

Incidents like this are a reminder for all businesses that we need to look at our own security measures, to mitigate the risks as much as possible. Securing ourselves from attack is the best way to prevent loss of data and ensure customer privacy. Carrying out a security audit to assess your current level of protection and looking at areas that can be improved is the best strategy for a proactive security approach.

Two-factor authentication (2FA)

Using two-factor authentication is a straightforward way to increase your security. It requires users to logon using a code that is sent to their mobile phone in addition to entering their password. It is a unique code that must be entered each time, and provides an extra layer of security to your systems. Given that your employees can unwittingly be your biggest security risk, this is a great way to help them be more secure.

Endpoint Control

Endpoint control is a method of securing yourself from USB device threats. This is where cyber criminals target organisations using USB sticks. They do this by leaving a USB stick lying around for unsuspecting individuals to pick up. Once they plug it into a machine, malware loaded onto the stick can infect the user’s computer and the rest of the network. Often the devices are labelled in a way that will make people curious to see what is on it, such as “HR files”. Using endpoint control enables you to set rules to determine how desktops and laptops can work with USB devices. E.g. you can’t plug an unknown USB stick into your work computer.

Update security patches on all devices

It is important to frequently carry out all updates and security patches on your devices as they become available. This is something an IT support partner should be doing for you on a regular basis, ensuring that you are always protected.

Admin rights

Users can often be your weakest link, ensuring not everyone has administration rights is a simple way to mitigate the risks associated with hacks and security breaches. Making sure those that don’t need it do not have admin rights means you can reduce the risk of hackers accessing all machines via a single breached device on your network.

Security Training

You can send your employees on security training courses to increase their awareness of cyber security threats. Netstar provides a service where we send you safe phishing emails and can report on who falls for them, allowing you to not only identify which employees might need the training the most, but also helps give employees a better understanding of what a cyber threat can look like in their inbox.