A Tale of Two Breaches

(With apologies to Charles Dickens)

Last week brought news of settlements and fines for two US firms related to cybersecurity breaches. Neither of these breaches represented the best of times, nor of an age of wisdom. Neither should have happened, but they did. Yet, they were treated very differently. The uneven treatment US government authorities meted out to violating companies sends a disturbing message to executives in the boardroom.

Uber, a privately held firm in the “sharing economy”, breached 57 million passenger and driver records in 2016. The story: an Uber software developer stored a service credential in application code to access sensitive information from their database, and stored the code in a private repository in Github. Including service credentials – a “shared secret” – inside software, in itself would have been a violation of “security best practices”, since these can be compromised in many places besides the Github repository: testing environments, staging machines and of course, the production infrastructure itself.  But, the software developer’s errors did not stop there.

Github deployed FIDO-based strong-authentication for the specific intent of software developers protecting their repositories from unauthorized access. Despite the deployment of one of the strongest authentication protocols produced by the industry, Github neither encourages their users to Sign Up, nor Sign In with FIDO technology. As a result, the software developer used one or more shared secrets – username/password, one time passcodes, etc. – to authenticate to the Uber repository.

The next mistake was that Uber automatically deployed their applications into Amazon Web Services (AWS) using yet another shared secret: an application programming interface (API) key with a secret key – a euphemism for username/password – using geeky terminology to imply sophistication: hashed message authentication codes (HMAC), a variation of the algorithms used by password authentication systems.

This disastrous chain of weak links: passwords to store software in a repository, containing passwords to access a protected database, using passwords to automatically deploy applications into the public cloud – eventually led to the compromise of sensitive data. It could have happened anywhere in the chain, but that it could be compromised, should have been a risk anticipated at all levels in Uber.

To make matters worse, Uber’s Chief Information Security Officer not only did not disclose the breach for a year, but paid hackers USD 100,000 to hack into the thief’s/thieves’ computers to attempt to delete the stolen data.  He didn’t succeed, and the officer lost his job in the process.

Last week, Uber settled with the 50 US States and the District of Columbia for USD 148 million for violating data breach laws.

The same week, the Securities and Exchange Commission (SEC) announced an agreement by Voya Financial Advisors, Inc. (VFA), a publicly traded financial services firm, to pay USD 1 million to settle charges related to failures in cybersecurity policies and procedures, which led to compromised information of 5,600 – that’s right, five thousand six hundred – VFA customers. The attackers called VFA’s support line, impersonated VFA contractors over a one-week period in 2016, and requested that their passwords be reset. Using the new passwords, they created new customer profiles and obtained unauthorized access to account documents for three – you read that correctly – three customers.

Now, comes the part that simply doesn’t make sense.

VFS is currently a USD 8 billion public company, and paid a fine of an average of USD 178.57 per customer record breached. Uber, on the other hand, estimated to be a USD 72 billion company, paid a fine of USD 2.59 per customer record breached.

A recent report indicates that the global average cost of a breached record was USD 148. Using this average cost, while VFS should have paid a fine of USD 828,800 for their lapses, Uber’s settlement should have been a whopping USD 8.436 billion!

Did the States egregiously devalue consumers’ data given independent research of the value of a breached data record?  How did the SEC arrive at a valuation closer to the global average than 50 US States? Are not the Attorneys General coordinating their information resources with the SEC to ensure that data breaches caused by companies’ negligence are punished equally? Did they not review these independent reports before they decided on the settlement amount?

These are questions that policy makers must answer if we intend to take control of our cybersecurity lapses. Without uniform laws and consequences, there can only be inconsistency in risk-mitigation approaches. The lesson boardroom executives are likely to take away from these two incidents is, it is far less expensive to breach more data than just a few records – leading to practices that result in more data collection and fewer controls in cybersecurity risk-mitigation.

Shades of “Too big to fail” seem to be resurgent again.