In November 2017, it was found out that Uber had been breached and the records of 57 million people were stolen.
Now you would have thought that a company like Uber would be quite security conscious considering it manages tens of millions of customer's personal and credit card details, including the details of the Uber drivers.
But sadly, this appears not to be the case and Uber failed badly at protecting the very information that runs its organisation.
Some ethical issues were also raised concerning Uber's actions regarding the breach, but this hardly comes as a surprise considering its slackness in protecting personal information.
The hack occurred when Uber's GitHub account was compromised. GitHub is a Web-based version control and source code management tool for developers. Once in GitHub, the hacker found a username and password that gave them access to Uber's data that was stored on an Amazon server.
There are two fundamental questions that need to be asked here. Firstly, "Why were they developing on real customer data?", and secondly, "Why is highly sensitive personally identifiable information (PII) not encrypted in Uber's databases?"
Both practices are totally indefensible.
Copies of your production data should not reside outside a secured production environment, and all sensitive personal information should be encrypted by default, no matter where it resides.
If large quantities of data is required for development or testing and the best source of this data is from a production environment, then the data should be 'masked' before it is released into another environment, and in that way anonymise any personally identifiable information and removing any value completely.
If either encryption or data masking had been utilised, this breach would not have happened.
Three important lessons to learn from Uber's mistakes:
1. Encrypt personally identifiable information no matter where it resides.
2. Do not allow production data to reside anywhere outside of a secured production environment.
3. If production data is to be made available for development or testing purposes, then mask the data before releasing it, so that 'real' data can be converted into 'realistic' data and thereby removing anything personally identifiable.
Click here to watch our demo video on our data masking capabilities.
Click here to watch our demo video on database encryption
For more information on Encryptech's Data Masking and Encryption services please contact it on: info@encryptech.co.za +27 11 593 2394 http://www.encryptech.co.za/
Share