One of the biggest advantages of connecting vehicles wirelessly to each other and the cloud is the visibility it brings into large amounts of data. Companies as diverse as Uber, Navistar, and Tesla have embraced connected technology, allowing them to monitor their assets, communicate with vehicles remotely, and even let the collective wisdom of an entire fleet train autonomous algorithms.
Yet there are substantial risks that come with embracing connectivity and the big data it generates: over-the-air connectivity draws hackers in like moths to a flame, and as data accumulates, it becomes an increasingly valuable asset. Corporate America is well aware that cybersecurity is more aspiration than reality: banks get hacked, the Department of Defense gets hacked, and even the National Security Agency gets hacked.
Enterprises have realized that because absolutely secure connected networks are almost impossible to achieve, they have to think beyond simply trying to eliminate vulnerabilities before a software product is released. Inevitably, vulnerabilities will be discovered. The challenge is in how to respond to the vulnerabilities.
Uber’s approach is one favored by many large companies: the chief security officer oversees a ‘bug bounty’ program where hackers who discover flaws can disclose them to Uber in exchange for large monetary rewards (normally limited to $10K in Uber’s case). But the story doesn’t end there. Depending on what kind of vulnerability it is, employees, customers, and other partners may need to be notified.
In November 2016, Uber’s chief security officer Joe Sullivan got an email from “John Doughs” that reported a flaw in Uber’s software putting 57M driver and rider accounts at risk. Uber had launched its bug bounty program earlier that same year and had already paid rewards to hundreds of hackers when the Doughs email arrived. Uber eventually paid Doughs $100K, but didn’t report the breach until a year later.
It turned out the breach wasn’t even that sophisticated: Uber engineers had been using Github to store backup code include config files and private keys to Uber’s Amazon Web Services servers, where the majority of the company’s data resided. The hacker—someone living in a Florida trailer park named Brandon—found the keys and started squeezing Uber for money. Eventually, then-CEO Travis Kalanick approved the hacker’s unusually high payment.
Several states attorneys general sued Uber, accusing the ride-hailing company of covering up the hack.
Yesterday, Uber settled the lawsuit, agreeing to pay $148M to all fifty states and Washington D.C. Uber’s chief security officer, Sullivan, and the lawyer who directly supervised the payments to the hacker were both fired when outside law firms told Uber that the breach should have been disclosed to the people affected and government officials.
The settlement isn’t the end for Uber, though—the Department of Justice is also investigating Uber’s failure to disclose the breach in a separate criminal inquiry.
What does all of this mean for data-intensive companies? It means that not only is cybersecurity an expensive, ongoing investment necessary to protect the company’s operations and assets, it means that legal processes have to be established to deal with vulnerabilities when they arise and to mitigate damage in a open, transparent way.
The scale and network effect of connected fleets and the data they generate has become a multiplier for both value and risk, exponentially increasing insight about markets and crowd behavior but the number of potential victims and litigants.
“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi wrote in a blog post when Uber acknowledged the hack last year. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”