Tuesday, November 21, 2017

UBER ! Oops. My Bad. 57 million records lost. Finally some good news.





I've been waiting for this.

Waiting a long time.

Finally someone has dropped the soap and come clean in a direct and "appropriate" way.

Obviously plenty of criticism is coming down the road for why it happened, why it took so long to let customers know, etc.

That's really part of the game.


What would you expect when Uber's Chief Security Officer is a Lawyer instead of a trained security expert.

There are still some funny things to laugh at.

For example paying the hackers $100,000 to delete the data.   Honour amongst thieves perhaps.  After all, we are all allowed to believe in Santa.  Some us believe more in Satan, oh well.


However here are some really nice tidbits that I find very positive:


"None of this should have happened, and I will not make excuses for it," he added (CEO). 
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
I love it when people just come clean and tell you they dropped the ball, very inspiring.
The only problem with the last statement, is that they ended up fined for a much smaller breach in 2014 and it appears... they still needed to learn from those mistakes.
So now, they will have to face the music for not disclosing when they uncovered, but once again, the lawyer(s) certainly had a large role in holding that off.
Perhaps many enterprises could re-visit their choice of CSO to ensure that the position is handled by a "real" security expert, but lets face it, traded companies focus on the shareholder and their return on investment.  So I guess most boards would go the route of a hardened politician, Lawyer, or Music Major since the talent they most want is not "security".  So I guess in this case, as is also the case in many other enterprises, this is pretty much the ingredients they wanted.  Some will call it "plausible deniability" some will call it "willful blindness".   Some will call it a Tuesday.
Note to my friend Robert M.  You wanted a positive post out of me.  Well this isn't it yet ;-)



Now on an even more positive note.  Maybe some people are starting to grasp that sensitive data in the cloud requires more then nice words and a pretty logo.   

Lesson learned:  Regardless of the size and glamour of the cloud provider, "Trust but Verify".  Or don't use it.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...