The Biggest & Best Portal to the Professional Property, Workplace and Built Environment Community

Sunday, 25 February

Uber And The Cyber Nightmare Ride

In an unprecedented move, the National Cyber Security Centre has commented specifically on the Uber data breach - with a coded reference to the fact that Uber tried to hide the facts from the security services and the public.

A spokesperson for the National Cyber Security Centre said: “Companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.

“We are working closely with other agencies including the NCA and ICO (National Crime Agency and Information Commissioner's Office)  to investigate how this breach has affected people in the UK and advise on appropriate mitigation measures.

“Based on current information, we have not seen evidence that financial details have been compromised.”

 

Advice

If a member of the public thinks they have been a victim of cyber crime or cyber-enabled fraud, they should contact Action Fraud (0300 123 2040 or www.actionfraud.police.uk). If you have been told that your personal details, such as your password, may have been accessed, you should ensure those details are not used on any other accounts.

 

NCSC advice on targeted emails

Fraudsters can use the data they’ve acquired to make their phishing messages look much more credible, including using real names and statements such as: 'To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number'.

These phishing messages may not relate to the organisation that has been breached, and may use more well-known brands.

Usually, if you are the target of a phishing message, your real name will not be used. However, if fraudsters do have your name, people will need to be extra vigilant around any message that purports to be from an organisation they deal with - especially when there are attachments or links which take people to sites asking for more personal information.

 

Other advice

1. Do not feel obliged to delete the App. The incident took place over a year ago and there is no evidence of additional risk in having the App on your phone today.

2. However, immediately change the passwords you used with Uber.

Legitimate users can make a compromised password useless by replacing it with a new one the attacker does not know. If you re-used the same password on other accounts, you should change the password on those too.

3. Be alert to potential phishing emails

Phishing attacks can come through emails sent by strangers that mimic an established or trusted party to lure compromising information from the recipient. Since Uber’s data includes personal information, such as customers’ phone numbers and driving licence information, these could be used by scammers to make phishing emails more convincing. Guidance on preventative measures against phishing emails can be found here.

4. Be vigilant to potential scam phone calls

If you do receive a phone call that is suspicious - for example, one that asks you for security information - do not divulge any information and hang up. When you next pick up the phone, make sure there is a dial tone to ensure the caller is not still on the line. Immediately contact the organisation that the caller claimed to be from using a phone number gained from their company website. Do not use any details provided during the previous call – these could be bogus.

 

Which? response to Uber data breach

Alex Neill, Which? Managing Director of Home Products and Services, said: “Uber’s data breach – and the fact that it’s been hidden – will worry customers and drivers alike. It’s critical that the company does all that it can to ensure affected people get clear information about what’s happened.

“Data breaches are becoming more and more common and yet the protections for consumers are lagging behind. The UK Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of affected customers when a company has failed to take sufficient action following a data breach.”

 

Uber disaster, here we go again - by Digital Pathways

The revelation that the data of some 57 million Uber customers and drivers has been leaked, with the company then paying the hackers $100,000 to delete the data and keep quiet about it, has come as yet another ‘nail in the coffin’ to the data security strategies employed by business – both large and small.

Not only did Uber’s systems allow such a hack, they failed to disclose the breach.

Colin Tankard of data security company, Digital Pathways said: “ Well, here we go again! This seems to be some kind of ransom attack and of course, under the forthcoming GDPR regulations (due to take effect in 2018) such a breach would cost the company dear, some 4% of their global turnover.

"US regulations do require companies to disclose all breaches and Uber are in clear contravention of this.

"It demonstrates the weakness of cloud based technology when it comes to adequately securing data in storage.  Whilst it seems that this data was not encrypted – an unbelievable situation in today’s climate – non-the-less, even if it had been, it may not have prevented the breach, should the hackers have had access to the right credentials.

"Two-factor authentication should have been deployed, where a unique password is required for each transaction.

"Also, had Uber been properly monitoring their event management systems they may well have pin-pointed unusual behaviour patterns or log-ons and have been able to prevent the attack.

"This is not rocket science, it just takes the will to impose robust data security systems.  It seems that there wasn’t a will to do this."

Picture: In an unprecedented move, the National Cyber Security Centre has commented specifically on the Uber data breach

 

Article written by Brian Shillibeer

Share



Related Articles

Yahoo Cyber Breach Was Bigger

Yahoo has announced (week ending Oct 6) that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company...

 Read Full Article
Top 10 IT Security Predictions for 2018

As the headline implies...in fact, blatantly states, we have the top ten IT security predictions - courtesy of Ian Kilpatrick.   1. Security blossoms in the...

 Read Full Article
If Dolly Can Be Hacked, What About The Hand Dryer?

  Connected toys with Bluetooth, wi-fi and mobile apps may seem like the perfect gift for Christmas. But Which? has found that, without appropriate safety...

 Read Full Article
Appointments In A Changing World

Wilson James has amalgamated its City of London and Southern business regions to create a £65m operational ‘powerhouse’ spearheading a targeted...

 Read Full Article
Do You Do Data? EU GDPR to Enter British Law

In a statement of intent (made on Monday 7), the government has committed to updating and strengthening data protection laws through a new Data Protection Bill. The...

 Read Full Article
Phishing Docs and the Digital Signature?

Protecting digital documents and being able to verify that the sender of a file is, in fact, who they say they are, is fast becoming a major concern for many...

 Read Full Article
What's Up Docs?

A Google spokesperson has told ThisWeekinFM: “We realise people are concerned about their Google accounts and we're now able to give a fuller explanation after...

 Read Full Article
Ransomware - Universities and Students Under Attack

63% of British universities who responded to a Freedom of Information request made by SentinelOne, admit to being the target of a ransomware attack. Over half, 56%,...

 Read Full Article
Logins Could be a Rotten Affair

Relying on 'auto-fill' to complete the login process for websites as well as storing bank card details to shopping sites such as eBay and Amazon can make for...

 Read Full Article
Benefits from Remote Security Cover

A major insurance company based in the City of London no longer needs manned guards operating 24 hours a day, seven days a week because of a remote reception system....

 Read Full Article