The news has been riddled with hacking, data breaches, and vulnerabilities lately. Uber is one of the most recent victims required to activate their emergency response plan. You can glean everything they know by reading a posting in their blog (http://blog.uber.com/2-27-15). In quick summary, a database was hacked that contained driver’s license numbers and their names.
“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access.” I have a problem with this line. I don’t know why someone would enable unauthorized access in the first place. But really, if there is still access to the database then the opportunity for unauthorized access still exists. While I’m sure they changed the admin password from “password1” to “P@55w0rd!”, I highly doubt they flipped the switch on unauthorized access.
Now I digress, and I’ll say that I’m glad to see that they have a mutli-pronged attack at incident response. They notified the potentially impacted drivers, made technical changes, took legal action, then finally notified the public. These are all pivotal to proper incident response. If you have or are part of a business of any size and don’t have something like this in place then schedule an appointment with Fracture Security and our legal team.
Overall, good job Uber. I understand you won’t tell us all of the technical details of your response but I do hope it was something successful.