Once More Into the Breach!

Wednesday, December 6, 2017
Once More Into the Breach


Lessons we can learn from UBER on Incident Response and the implications of GDPR.

The technology world could refer to the last Decade as “10 years of the breach”.  At first, they were monthly, then fortnightly, weekly and now almost daily – with companies who have come out with their hands up and apologised for the latest breach.

Many organisations in the “regulated world” have the right technology and processes deployed.  These companies are the most clear-sighted about what has happened, notify their customers, board and employees and follow their breach plan, and move on quickly.

Other organisations, often those who operate in a “less regulated” commercial world, have less stringent regulations on how they look after their customer data.  These organisations tend to take a “less than opaque” approach to their security, and the recent UBER breach seems to fit into this bracket. 

The full facts are not public, but it appears that UBER had a data breach with as many as 57 Million customers & drivers’ personal records stolen, yet UBER chose to pay a “ransom" fee to their adversary and then not notify anyone about the hack, for as much as year. Their adversary claims to have deleted the data, but it takes a huge leap of faith to believe that a hacker has not sold / disclosed this data, it also validates this as tactic they can reuse. 

In 2018 the rules change as all organisations who operate in Europe will need to comply with the General Data Protection Regulation (GDPR), and this means breach notification is for everyone, not just the highly regulated businesses, and what’s more the stick for not doing so could be a very very big fine. 

Key facts of GDPR that organisations need to be aware of include,

  • An organisation must report a data breach within 72 hours
  • The cost of non-disclosure could be as much as 4% of a company’s annual turnover
  • Organisations must have the procedures in place to delete personal data in the case of a “right to be forgotten” request

So, what can organisations really do to help protect themselves;

Defence in depth is always the mantra of Security Professionals, but here are some of the modern layers that need to be in place:

  1.  Gain deep visibility into internet communications, both inbound to prevent/ understand the threat, and outbound to stop leakage of that critical corporate data. 
  2.  Use Offensive Security tactics by placing decoys, traps and lures on the network that provide an early warning system if touched and act as the modern day “canary in the mine” and can help keep the hacker out of the real systems.

  3.  Deploy Endpoint Security solutions, covering not just anti-virus but also providing visibility of what’s running on the endpoint, changes being made and the ability to do investigation and response.

  4.  Plan your breach process, the first 72 hours is key, during a breach is not the time to work out how and what to do, the plan will always need some tweaking but starting from scratch just won’t work.

  5.  Keep technology current and don’t forget to patch.

“From a security standpoint, all organisations need to get deep visibility of what’s happening to their systems and one has to question whether Uber has the right systems and process in place to protect our data. Deception should also be part of its security defence strategy. By placing decoys, traps and lures on the network, companies can expose and defuse attacks before any real damage is done – all while protecting key data assets wherever they reside.”

For more in-depth information, download our white paper, “Are You Ready for European Data Protection Reform?”

 

Andrew Bushby,
UK Director, Fidelis Cybersecurity