The Sophos take on the Uber breach

What could happen now that ride-sharing company Uber has not only admitted to the theft of data from 50 million customers and 7 million drivers globally, but also to paying off the hackers?

Security firm Sophos advises the victims to monitor their credit scores and keep their eyes peeled for additional information on what was stolen.

Sophos Principal Research Scientist Chester Wisniewski said that development environments are vulnerable to data theft. “Uber's breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories. I would say it feels like I have watched this movie before, but usually organisations aren't caught while actively involved in a coverup," he said. 

"Putting the drama aside and the potential impacts from the upcoming General Data Protection Regulation (GDPR) enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”

The company also believes that Uber is not the only company to conceal a data breach or cyberattack, and will not be the last, either. The fallout from such admissions can be very damaging, and with the GDPR penalties* for data breaches, expensive too. Uber in fact suffered a similar breach in May 2014 but did not disclose it until February 2015, Sophos reported in a blog post.

Explore:

Read the TechTrade Asia blog post on the Malaysian telco customer data breach

*Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).