Uber CISO John Flynn was in front of Congress on Tuesday, telling a committee there was "no justification" for Uber's silence after the company paid hackers $100,000 to keep quiet about a breach of millions of customer and driver records.
We learned three interesting things from his testimony into what happened during and after the 2016 breach.
1. The company says it paid the $100,000 ransom through bug bounty program HackerOne, and that was wrong.
"We recognize that a bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company."
2. The data was found in an AWS S3 bucket, after credentials were revealed on GitHub.
"We learned the intruder found the credential contained within code on a private repository for Uber engineers on GitHub."
3. Uber's CISO has more than 100 on his security team, which looks like this:
"Our security efforts generally involve the following: 1) controlling access to our systems and services; 2) using security by design principles during the planning process; 3) auditing and testing code during development and throughout its lifecycle; 4) monitoring for threats; and 5) managing ongoing re-reinforcement and patching processes to protect our systems and software from reported vulnerabilities."
The company says it completely supports bug bounty programs—used the way other companies are using them—and that it supports the idea of a national breach notification policy.
Want more? Read the complete written testimony of Uber's CISO here.
