$100K vs. $150M – From Ransom to Clean Up
For a CEO, CISO, or a security professional, nothing instigates a wave of panic like receiving a dreaded message such as “Your files have been encrypted” with a link that reveals a ransom demand.
However, sometimes what is most feared – the ransom demand – is not the financial punch that hurts the most. Often, the attack’s cleanup costs deliver the most devastating blow. No example in recent history illustrates this better than Uber’s 2016 data breach, in which a $100,000 ransom demand ended up costing the company well over $150 million.
How Uber’s 2016 data breach costs reach over $150 million
In the case of Uber, it wasn’t the breach that set tongues wagging. It was the intentional coverup by the company’s CSO and other executives.
In 2016, threat actors breached a third-party server. They stole the personal information of 57 million Uber customers and over seven million drivers, including the driver’s license numbers of 600,000 drivers. In an attempt to hide the breach, the CSO, John Sullivan, paid the hackers’ $100,000 bitcoin ransom, but concealment went further. The company tracked down the hackers, forced them to sign nondisclosure agreements (NDAs), and falsely attributed the ransom payment to a bug bounty.
Uber managed to keep the secret for some time, but in November 2017, the company publicly announced it discovered the breach while reviewing its business practices. Uber’s failure to disclose the breach in a timely manner led to multiple investigations and legal action from all 50 states’ attorneys general and the FTC.
After paying lawyers and investigative consultants, legal settlements, and credit monitoring and identity theft protection services for everyone affected, the total cost of the breach amounted to well above $148 million. In addition, Uber lost the public’s trust and many customers, resulting in even more financial loss.
The lesson for every company
Had Uber come clean from the beginning, the incident wouldn’t be synonymous with “how not to handle a data breach.”
Data breaches in and of themselves are, unfortunately, common, but the staggering cost of Uber’s breach is a direct reflection of how a mismanaged breach can cause costs to skyrocket. Sure, Uber would have had to pay the ransom and the costs associated with notifying and supporting those whose data was exposed. That could have easily stretched into the millions.
However, if Uber had been transparent and upfront, it would have avoided the nationwide lawsuits, which were settled for $148 million.
The Uber data breach of 2022
Uber fell victim to another attack in September 2022. According to Uber’s announcement, a hacker bought an Uber contractor’s corporate credentials on the dark web. Initially, the hacker couldn’t access Uber’s network because the contractor’s account was protected with two-factor authentication. The hacker messaged the contractor, claimed to be from Uber’s security team, and told the contractor to approve the MFA notifications. When the contractor did, the threat actor entered Uber’s network.
The hacker accessed Uber’s VPN and found Microsoft Powershell scripts containing admin user login credentials. He used those to access DA, DUO, AWS, Onelogin, GSuite, and Uber’s bug bounty reports.
Since data wasn’t stolen and the hacker didn’t demand a ransom, the motivation appears to be more about gaining clout in the hacker community.
Could Uber have prevented another attack?
Uber becoming a victim again underscores the need for companies to continually work toward hardening their security posture. While security teams have a lot to contend with, closing critical gaps should always be a top priority.
If Uber is like most companies, their security team is probably understaffed. Over the last decade, the demand for cybersecurity specialists has grown exponentially, yet there aren’t enough skilled professionals to fill all the openings.
Short-staffed companies should consider using a managed SOC provider such as CYREBRO. Managed SOC solutions can alleviate a lot of the burden on in-house IT teams by providing 24/7 monitoring, incident response, threat hunting, and threat intelligence and more. For SMBs, in particular, a managed SOC can reduce overall security costs, help secure necessary cyber insurance and free up employees for other business-critical tasks.
The 3 phases of breach management
Whether a company handles breaches in-house or with an external provider, the way to reduce longtail costs comes down to properly executing the three stages of breach management.
Stage 1: Containing the breach
Isolate affected systems from the network to prevent malware from spreading further and to stop unauthorized access. Coordinate the shutdown according to the incident response (IR) policy and ensure communications are dispersed to all IR personnel. Close gateways that were used for the breach, eliminate any backdoors that the attacker may have set up, identify IOCs (indicators of compromise) and search for the TTPs (tactics, techniques, and procedures) hackers used to penetrate your security.
Stage 2: Cleaning up after the breach
After removing any malware (and erasing affected systems if needed), restore the systems from unaffected backups. Test systems to confirm they are functioning correctly and continually assess them to ensure any exploited vulnerability is patched, and infections are completely removed.
Stage 3: Closing gaps and strengthening security postures
After patching and updating systems and software, review and update security controls such as firewalls, antivirus software, and intrusion detection and prevention systems (IDPS) to ensure they are properly configured. Implement new security controls, and review and update incident response and incident management policies and procedures.
Conduct regular security assessments with vulnerability scans and penetration testing to identify new vulnerabilities and update compliance policies if needed. Finally, raise employee awareness with training sessions that cover security best practices and how to detect and report suspicious activity. Uber could have avoided its latest breach if it had taken that step.
Lowering Data Breach Costs
Should you walk into your office one day and find that heart-stopping message telling you that you are the victim of a data breach, remember that the ransom demand is only a tiny slice of the cost.
Each piece of the data breach pie comes with its own price tag. You might need to pay for investigators and lawyers, industry-related fines, customer protection services, and experts to help restore your reputation.
Put yourself in the best position to deal with breaches by having an effective incident response plan and a team or partner to manage the response when needed. Failing to be prepared increases risk and could lead to your organization becoming the next news story or worse – having to close shop because of overwhelming breach costs.