Uber, the world’s largest ride hailing service that doesn’t own a single vehicle, also develops applications for road transportation, navigation, ride sharing, and payment processing solutions. The company's technology also makes them the world’s largest ride hailing connected fleet of vehicles, and according to Upstream's 2020 report on global automotive cybersecurity, connected vehicles are facing increased risk of cyber, fraud, and data-breach incidents, which is a threat to both companies and consumers.
In 2016, Uber was hacked, for a second time, and 57 million customer records were ransomed back to the organisation. Let’s imagine for a moment that it wasn’t customer records that were held hostage, but Uber’s navigation app - a very critical business tool that connects its drivers with customers around the world. In effect, Uber’s entire independently owned connected vehicle fleet could be immobilised in over 60 countries and in over 700 cities worldwide.
Synonymous with Uber is the Toyota Prius; it's popular with drivers because of it’s hybrid engine, fuel efficiency, automated safety features and an incentivised finance package. As one of the three top-selling manufacturers in the US, General Motors, Toyota, and Ford represent nearly half of the US market and will sell only connected vehicles by 2020. So it's even possible to imagine that a connected vehicle manufacturer could also be held to ransom and affect any fleet of vehicles.
In August 2020, Uber’s ex-CISO, Joe Sullivan was charged by the US Department of Justice with obstruction of justice for actions undertaken during the 2016 data breach. Uber ‘covered up’ this data breach by disguising the attackers ransom demands as a legitimate claim against the company’s bug bounty programme. He maintains he was following Uber's company policies. This raises a number of questions about how companies should or can respond to ransom attacks (or other incidents). Would your company policies and response scenarios be effective and legal if the same happened to you? Would your company attempt to manage the negotiation in-house or would you invoke a cyber insurance policy to aid in your response and recovery from cyber-attack?
“Since 2018, there has been a 99% increase in the number of automotive cybersecurity incidents and doubled in the last year. connected vehicles hit the road, the potential damage of each incident rises exponentially, placing companies and consumers at risk”. -- Upstream 2020