Lessons we can learn from UBER on Incident Response and the implications of GDPR.
The technology world could refer to the last Decade as “10 years of the breach”. At first, they were monthly, then fortnightly, weekly and now almost daily – with companies who have come out with their hands up and apologised for the latest breach.
Many organisations in the “regulated world” have the right technology and processes deployed. These companies are the most clear-sighted about what has happened, notify their customers, board and employees and follow their breach plan, and move on quickly.
Other organisations, often those who operate in a “less regulated” commercial world, have less stringent regulations on how they look after their customer data. These organisations tend to take a “less than opaque” approach to their security, and the recent UBER breach seems to fit into this bracket.
The full facts are not public, but it appears that UBER had a data breach with as many as 57 Million customers & drivers’ personal records stolen, yet UBER chose to pay a “ransom” fee to their adversary and then not notify anyone about the hack, for as much as year. Their adversary claims to have deleted the data, but it takes a huge leap of faith to believe that a hacker has not sold / disclosed this data, it also validates this as tactic they can reuse.
In 2018 the rules change as all organisations who operate in Europe will need to comply with the General Data Protection Regulation (GDPR), and this means breach notification is for everyone, not just the highly regulated businesses, and what’s more the stick for not doing so could be a very very big fine.
Key facts of GDPR that organisations need to be aware of include,
So, what can organisations really do to help protect themselves;
Defence in depth is always the mantra of Security Professionals, but here are some of the modern layers that need to be in place:
“From a security standpoint, all organisations need to get deep visibility of what’s happening to their systems and one has to question whether Uber has the right systems and process in place to protect our data. Deception should also be part of its security defence strategy. By placing decoys, traps and lures on the network, companies can expose and defuse attacks before any real damage is done – all while protecting key data assets wherever they reside.”