We put the IT in city®

CitySmart Blog

Wednesday, January 10, 2018
Sylvia Sarofim, Network Infrastructure Consultant

Sylvia SarofimEven if Uber does not operate in or near your city, its recent revealing of a massive data breach has important lessons to teach cities. Occurring in October 2016, the data breach affected 57 million users—and Uber hid it for more than a year. Even more, Uber paid the hackers a $100,000 ransom to delete the data.

While embarrassing for Uber, this data breach illustrates several important security policy and compliance best practices that apply to cities in a day and age when these kinds of data breaches can happen to any organization.

1. It’s the law to report a data breach within a specific time period and comply with the right notification requirements.

48 states each have their own data breach notification requirements. Obviously, you will need to follow the data breach notification laws in the state where your city is located. However, if you handle personal data from people in other states, then you must report the data breach to those states too.

Overall, you need a plan in place to respond legally to a data breach within a specific timeframe and with the right information to the state (or states). That plan includes:

  • Knowing what is and isn’t a breach.
  • Notifying appropriate state, federal, and law enforcement agencies.
  • Meeting state-specific reporting requirements
  • Understanding how the data breach happened.
  • Taking steps to correct the vulnerabilities.
  • Notifying people who were affected by the data breach.

Examples of state data breach notification laws include:

Talk to your city attorney, finance officer, and information security officer for more details about how your city is (or isn’t) equipped to respond to a data breach.

2. Don’t pay criminals.

Uber made a rookie mistake when they paid hackers $100,000 to delete the exposed data. Why would you ever trust the bad guys? They targeted you, stole from you, hold your property hostage, and demand a ransom. And yet they promise to put things back like they were, clean up their mess, and close the door on the way out - never to cross your path again. Right! Do you really think that criminals will delete information like you ask and never sell it on the black market? The federal government and law enforcement agencies recommend to never pay criminals. We’ve talked about this issue a lot with ransomware. It’s tempting to try getting your data back by paying a ransom and hoping the criminals will unencrypt your data. However, it’s not guaranteed. Even if it works, how do you know your data hasn’t been altered, resold, etc. And know, you’re funding criminal activity. The better response? Rely on your data backup and disaster recovery—and make sure you can recover your data in a worst-case scenario.

3. Maintain proactive security best practices.

Hackers threatened to expose sensitive data if Uber didn’t pay up. How did that data get exposed in the first place?

According to KnowBe4: “Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. […] If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online.”

To prevent similar issues, you need proactive security best practices in place that include:

  • Authorization policies: Who gets access to sensitive information? Where is that information stored? Who manages access? In Uber’s case, a GitHub coding site exposed sensitive information to unauthorized people. It was easy for hackers to then use that information to break into a more hard-to-access server.
  • Password policies: While we can’t confirm exactly what happened, it’s likely that passwords were stored on an unsecured third-party site. In the past, we’ve talked about password security risks related to human error such as writing passwords on sticky notes and leaving them exposed to public view on your desk. Sharing or storing passwords in unsecured online locations is just as, or even more, dangerous as leaving them laying on a desk. Employees need to protect passwords like they would protect their social security numbers or banking information.
  • Third-party access policies: When vendors or contractors work with you, what city information can they access? How do they access it? Data breaches can just as easily result from third parties, so it’s essential to create policies around how vendors, contractors, and outside users can access your systems and data.

4. Teach employees about “spear phishing” techniques.

You may have heard about phishing—when hackers try to use spam emails or other methods to get you to click on a dangerous website link or file that contains a virus. With spear phishing, a hacker specifically targets a high-level person in your organization. For example, we recently interviewed Stephanie Settles, the City Clerk and Treasurer at Paris, Kentucky, who was targeted in a spear phishing attack. The hacker cleverly imitated the city manager and even used his language mannerisms. Luckily, the odd requests from the “city manager” raised red flags with her that stopped her from transferring thousands of dollars to the criminal—but other cities might not be so lucky if they are caught unaware.

5. Teach employees about social engineering techniques.

When sophisticated criminals specifically target a city, they often use advanced social engineering techniques. That means they know how to act and manipulate you into giving up information. For example, let’s say you’re busy and stressed as you take many phone calls during the day. What if a “support engineer” calls you up and says they need your password to fix the “software issue”? The “software” is a system you (or your staff) uses and the support engineer sounds like he knows what he is talking about and comes across very personable—joking and making you laugh a couple of times. To be helpful, you give the password over the phone. Later, you find out that it wasn’t your support engineer at all. Instead, you allowed a hacker into your network—giving him or her the entry point they needed to breach your system.

Even if employees want to be helpful, they must follow strict procedures over the phone. That means even if a trusted employee or trusted vendor calls up wanting your password, say ‘no’. Again, say ‘no’. You must follow a policy and a process to provide them authorized and secure access to the system they want, and it won’t be by providing them your password.

Learn from Uber. If you haven’t created detailed security policies or reviewed yours in a while, then take the time to make sure your risk of a data breach is minimized. If you need help, then reach out to a vendor with municipal experience related to proactive cybersecurity best practices, policies, and compliance.

Are your security policies not in the best shape? Reach out to us today.