One by one, European countries are slapping Uber with a penalty for the way it handled its 2016 data breach. Today, France’s data protection watchdog, the CNIL, announced it was fining Uber $460,000 (€400,000).This event was a combination of bad security with bad reaction and good timing. Back in 2016, Uber faced a data breach that affected 57 million users, including 1.4 million users in France. According to the CNIL’s report, hackers managed to connect to Uber’s Github repositories using some employee’s login and password. They then managed to connect to Uber’s Amazon Web Services account and download user data. How? Very simple. AWS login information was stored in plain text on Github. The CNIL said that it could have been avoided if:
- Uber had made two-factor authentication mandatory for the private Github repositories.
- Uber didn’t store AWS login information in plain text on Github.
- Uber used an IP whitelist to connect to AWS.