- A+
Researchers claim that this incident compromised the company's Amazon S3 buckets研究人员声称,这一事件损害了该公司的Amazon S3存储桶
Uber Technologies decided not to disclose a data breach in 2016, a decision that keeps bringing bad news for the transport service platform.优步科技决定不在2016年披露数据泄露事件,这一决定不断为运输服务平台带来坏消息。
According to reports of experts in digital forensics, Uber has been fined for an amount of $1.2M USD, amount established by the data regulatory authorities of the United Kingdom and the Netherlands, accusing the company of inadequate data security policies, as well as for not properly reporting the data breach that the company suffered two years ago.根据数字取证专家的报告, 优步已被罚款120万美元,由英国和荷兰的数据监管机构确定,指控该公司的数据安全政策不充分,以及正确报告该公司两年前遭受的数据泄露。 The authorities argue that this incident, which the company took a year to report, exposed Uber drivers and users to an increased risk of cyber fraud.当局辩称,该公司花了一年时间报告这一事件,使优步司机和用户面临更高的网络欺诈风险。
The incident compromised the personal information of over 50 million users and 3 million Uber drivers worldwide, including names, email addresses and phone numbers.该事件损害了全球超过5000万用户和300万优步司机的个人信息,包括姓名,电子邮件地址和电话号码。 According to specialists in digital forensics , in some cases attackers even leaked location data, access tokens and user passwords.据数字取证专家称,在某些情况下,攻击者甚至泄露了位置数据,访问令牌和用户密码。 The incident occurred in October 2016, but Uber kept it undisclosed until November 2017.事件发生在2016年10月,但优步保持未披露,直到2017年11月。
The United Kingdom Information Commissioner Office (ICO), in charge of compliance with data protection laws in British territory, has fined Uber with £385k.负责遵守英国领土数据保护法的英国信息专员办公室 (ICO)以38.5万英镑对优步处以罚款。 The ICO mentioned that the incident occurred because of “a series of flaws” in Uber IT infrastructure, adding that about 3 million of Uber users in the UK were affected by the incident. ICO提到该事件的发生是因为优步IT基础设施存在“一系列缺陷”,并表示英国约有300万Uber用户受此事件影响。
“The ICO research found that data breach was possible thanks to the “credential stuffing” technique, a process by which usernames and passwords are injected massively into a website until they match with an existing account. “ICO研究发现,由于”凭证填充“技术可以实现数据泄露,这是一种将用户名和密码大量注入网站直到与现有帐户匹配的过程。 Uber uses Amazon Web Services Simple Storage Service (S3), a cloud-based storage service, where its information is protected.优步使用亚马逊网络服务简单存储服务(S3),这是一种基于云的存储服务,其信息受到保护。
An attacker was able to access multiple Uber S3 buckets because the company IT team left the S3 access credentials in the code that was uploaded to GitHub, the popular code development and sharing platform.攻击者能够访问多个Uber S3存储桶,因为公司IT团队将S3访问凭据留在上传到流行代码开发和共享平台GitHub的代码中。 “Uber S3 account accesses were in a plain text file stored on GitHub,” the ICO mentioned. “Uber S3帐户访问是在GitHub上存储的纯文本文件中,”ICO提到。
On the other hand, Autoriteit Persoonsgegevens , the regulatory authority on data protection in Netherlands, imposed Uber a fine of £600k for violating the Dutch information security law.另一方面,荷兰数据保护监管机构Autoriteit Persoonsgegevens因违反荷兰信息安全法而对优步处以60万英镑的罚款。 “The company was fined for not reporting the data breach within 72 hours after the discovery of the incident,” the Dutch authorities reported.荷兰当局报告称,该公司因发现事件后72小时内未报告数据泄露事件而被罚款。 It is estimated that about 174k Dutch users were affected by data theft.据估计,约有174k荷兰用户受到数据窃取的影响。
Data breach occurred while Travis Kalanick served as Uber's CEO, but remained undisclosed until November 2017, after Dara Khosrowshahi emerged as CEO, who ordered a digital forensics investigation. Travis Kalanick担任优步首席执行官时发生了数据泄露事件,但在Dara Khosrowshahi担任首席执行官之后,他一直未披露,直到2017年11月,他下令进行数字取证调查。
In the end, it was learned that Uber had paid $100k USD to a young hacker from Florida for a “bug report” as part of its vulnerability bounty program.最后,据了解,优步已向佛罗里达州的一名年轻黑客支付了10万美元,用于“漏洞报告”,作为其漏洞奖励计划的一部分。 However, the authorities believe that the hacker had discovered the data breach, and the payment made by the company was a bribe to keep the incident a secret.然而,当局认为黑客已经发现数据泄露事件,公司支付的款项是贿赂,以保证事件的隐秘性。
The data breach occurred before the entry into force of the European Union's General Data Protection Regulation (GDPR), so Uber was sanctioned in accordance with the provisions of the United Kingdom Data Privacy Act, promulgated in 1998. Fines imposed in accordance with this law may not exceed $500k USD.数据泄露发生在欧盟通用数据保护条例 (GDPR)生效之前,因此优步根据1998年颁布的英国数据隐私法的规定受到制裁。根据该法律实施的罚款可能不超过$ 500k USD。