Uber Hack: A Bad Breach, But A Worse Cover-Up

The Uber hack is a public lesson that a breach may be bad, but a cover-up is worse.  (See Nixon, Richard.)  It was a foolish mistake to try to hide an attack of this scale, but then, the history of security is a process where we all slowly learn from foolish mistakes.  We live in an evolutionary arms race – our defenses are forced to improve, so the attackers mutate their methods and move on.  Academically, we know what it takes to achieve ideal security, but in the real world, it’s too expensive and invasive to be practical.  (See quantum cryptography for one example.)  Companies rushing to grow and make profits (like Uber) aggressively try to cut corners, but end up finding out the hard way which corners cannot safely be cut.

It’s likely that the stolen data was, in fact, deleted.  Why?  On the one hand, we would likely have seen bad actors using or selling the data if it were still available.  That is, from the attacker’s point of view, data like this is more like milk than cheese – it doesn’t age well.  Many breaches are only detected when we see bad guys using what they have stolen, but nobody has reported a series of thefts or impersonations that track back to victims whose connection is that they used Uber.

But we can also see that the data was likely deleted when we think about the motives of the attackers.  Our adversaries are thoughtful people, looking for maximum payout for minimum risk.  They really don’t care about our names, or trip histories, or even credit card numbers – they just want to turn data into money, using the best risk-reward tradeoff they can find.  They had three choices: use the data, delete it, or both (by taking Uber’s hush money, but releasing the data anyway).  The problem with “both” is thieves are worried about reputation – indeed, they care more about that than most.  (“To live outside the law, you must be honest” – Bob Dylan.)   Once you’ve found a blackmail victim, the one thing you don’t do is give up your power over them – if the attackers took the money but then released the data anyway, they could be sure Uber would not pay them again if they broke in again.  The cost/benefit analysis is clear – taking a known pot of money for a cover-up is safer and more repeatable than the uncertain rewards of using the stolen data directly.