Senators grill Uber CISO over 2016 breach, extortion incident
Senators rebuked Uber on Tuesday during a Senate Commerce subcommittee hearing over the company’s handling of the data breach it disclosed in November 2017, with one lawmaker calling the company’s decision to wait a year before publicly disclosing it “morally wrong and legally reprehensible.”
Uber’s actions “violated not only the law but the norm of what should be expected,” said Sen. Richard Blumenthal, D-Conn., the subcommittee’s ranking member.
Uber revealed in November 2017 it paid $100,000 to delete data of 57 million users worldwide that was maliciously obtained by Florida-based hackers. The data included names, email addresses and phone numbers, and in some cases, encrypted passwords and driver’s license numbers. While Uber says that the hackers acted maliciously, the company paid them through HackerOne, which hosts Uber’s bug bounty program — a way for ethical hackers to receive payouts for informing companies about vulnerabilities.
During the hearing, the lawmakers questioned Uber’s chief security officer while also receiving an education from experts on how bug bounty programs are supposed to operate.
Uber CISO John Flynn explained that the company admits fault for withholding information about the breach for more than a year, and he promised changes in the way security incidents will be handled in the future.
“There is no justification for that. We should have notified our customers at the time when this did occur and it was a mistake not to do so,” Flynn said. “We didn’t have all the right people in the room making that evaluation.”
In a line of questioning from Sen. Catherine Cortez Masto, D-Nev., Flynn explained that hackers initially contacted Uber with demands and appeared to be unaware that the company ran a bug bounty program. Uber then tried to sway the hackers into cooperating with Uber and getting paid out through the program, he said.
Cortez Masto rebuffed Uber’s reasoning, saying that the company ought to have informed law enforcement in order to prevent the hackers from extorting other companies in the same way.
“To me, that’s a criminal element. You want to uncover who they are and hold them accountable and not try to somehow put some parameters around them that legitimize them,” she said.
Aside from lambasting Uber, witnesses generally praised the bug bounty practice as a helpful way for companies to find and handle vulnerabilities. But the 2016 Uber breach was also an opportunity to scrutinize how they’re carried out.
Katie Moussouris, CEO of Luta Security, which advises companies on vulnerability disclosure, argued that the mere ability for hackers to negotiate the bounties defeats the purpose of the practice. Uber’s program has an upper limit of $10,000, according to its page on HackerOne, but the 2016 hackers were paid far more than that.
“Why would a hacker turn in a bug and follow the rules for $10,000, when the term “bug bounty” has been muddied to include downloading 57 million and records and getting paid $100,000 for that data theft?,” she said. “I think that is a line that should be very, very clear – that bounties should not be negotiable in that way.”
Justin Brookman, director for consumer privacy and technology policy with the Consumers Union, raised questions about bug bounty programs from a consumer protection perspective.
“When should the discovery of a vulnerability by a third party trigger a breach notification to consumers? How can researchers test for bugs without ever touching consumer data? When, if ever, should bounties be negotiable?” Brookman said in his testimony.
Senators concurred that Uber’s 2016 incident amounted to extortion and not a legitimate use of a bug bounty program, due to the fact that Uber negotiated with the hackers while keeping the incident under wraps.
“It’s the difference between a security consultant who says about your home: ‘You have this vulnerability to forced entry’ – and a criminal who says ‘You have this vulnerability to forced entry and I have your child. Pay me $100,000,’” Blumenthal said. “That’s ransom. It’s a crime.”
Flynn, asked by Blumenthal whether he agrees that negotiability should be nixed in Uber’s bug bounty program, said the company is in the process of reviewing that policy. He also stressed that the 2016 incident was an anomaly in Uber’s bug bounty program.
“The fact that this was a multi-step malicious intrusion, a downloading of data, and extortionate demands means that this was inconsistent with the way that program normally operates,” the CISO said. “It’s important to understand that this is not the way we’re going to do these things moving forward.”
HackerOne CEO Mårten Mickos told senators that HackerOne doesn’t engage in extortion payouts. While the platform hosts Uber’s bug bounty program, Mickos declined to comment after the hearing on whether his company communicated with Uber during the 2016 incident, deferring to the ride sharing company.
Legislation proposed by Bill Nelson of Florida, the full committee’s ranking Democrat, would set federal requirements around breach notifications. Flynn and Mickos endorsed such an effort because it would be simpler than complying with the “patchwork” of state laws around the issue.
Moussouris and Brookman expressed reservations, citing a potential to disincentivize detecting breaches in the first place.
