Opinion | The Uber Hack Exposes More Than Failed Data Security

/in


Uber was hacked this month. The company said that the attacker — a teenager possibly linked to the incident was just arrested in London — most likely obtained the corporate password of an Uber contractor. Using that person’s access, the hacker gained access to some of Uber’s internal systems: internal Slack messages, a finance tool for invoices and the dashboard where the company’s security researchers report bugs and vulnerabilities. It’s a big deal, and an embarrassment to the company.

Uber has said that it believes that the attacker is affiliated with a hacking group called Lapsus$, whose members are mostly teenagers and which has recently targeted several technology companies. Uber also said it had not seen any evidence that user data was compromised during the incident. In the lawsuits that will invariably result, we will learn more about what happened.

But any litigation against the company, whether it be by government agencies like the Federal Trade Commission, or class-action lawsuits by shareholders or perhaps even customers, will focus on the proximate causes of the hack. More fundamental are the underlying causes of security breaches: current economic and political forces incentivize companies to skimp on security at the expense of both personal and national security. If we are to ever have a hope of doing better, we need to change the market incentives.

When you’re a high-tech start-up company, you are likely to cut corners in a lot of areas. It makes business sense — your primary focus is to earn customers and grow quickly enough to remain in business when your venture capital funding runs out. Anything that isn’t absolutely essential to making the business work is left for later, and that includes security culture and practices. It’s a gamble: spending money on speed and features rather than security is a more likely path to success than being secure yet underfunded, underfeatured, or — worst of all — a year later to market.

Security can be improved later, but only if necessary. If you’ve survived the start-up world and become a runaway success, you’ve had to scale to accommodate your customers or users. You’ve been forced to improve…

Source…