Cybersecurity in the sharing economy

Uber's failure to report a massive data breach in 2016 has, ironically, focused far more attention on the incident than it would probably otherwise have received.

A hacker accessed and downloaded a database held in a private Github account containing personally identifying information associated with around 57 million Uber users and drivers, including around 600,000 drivers’ license numbers.

However, rather than disclosing the breach, the company paid the hacker $100,000 through its bug bounty program to delete the data and stay quiet.

In 2017, Uber paid $148 million to settle the investigation.

However, the saga didn't end there, and the US Department of Justice has now charged Uber’s former chief security officer, Joseph Sullivan, with obstruction of justice.

Risky business

The breach has highlighted some of the problems that large gig economy companies face. 

In the case of Uber, says Paul Bischoff, privacy advocate at consumer website Comparitech.com, "Although Uber takes some precautions such as driver's license scans and background checks, drivers can still share their vehicles and accounts. Uber's non-driver employees never physically meet or interact with the vast majority of drivers."

The sharing economy is growing rapidly, with the US sector alone projected to reach $455.2 billion by 2023, employing around 57 million people. In many cases, workers are accessing networks from personal devices that lack standard enterprise-level security.

"The variety of devices used by independent contractors can create a management nightmare," says Morgan Wright, chief security advisor at endpoint security software firm SentinelOne. 

"The end user and eventual customer must rely on the security of the platform, the billing system and a host of other services that are outside their control."

According to research from security software firm CyberArk, 90% of organisations allow third party vendors access to their critical systems, and 72% put third party access in their top ten security risks. 

"As is apparent, the problem is widespread, and the risk is broadly understood. However, it is not being acted upon," says David Higgins, EMEA technical director at CyberArk. 

"The majority of organisations use approaches that are just not optimised for efficiency, and don’t consistently apply corporate security policies across on-premises and cloud resources. Any solution for third party privileged access must have basic security best practices that mirror established policies for internal workers."

Multiple solutions required

Dave Waterson, CEO at security software company SentryBay warns that multiple solutions will almost certainly be needed.

"If standard anti-virus and endpoint detection and response are already in place, subsequent protections based on containerisation, anti-keylogging and anti-screen scraping should be implemented as standard, and they must be complementary and compatible," he says. 

As the worldwide coronavirus epidemic continues, gig working is on the rise. 

Retailers large and small, for example, are taking on huge numbers of delivery drivers, couriers and warehouse workers.

For those finding themselves moving into the gig economy, says Sam Curry, chief security officer at security firm Cybereason, "Start with what you allow remote today, make sure you know the threat landscape and your business and talk, role-by-role, about what can be done in the short-term gig economy and what can’t; and involve security, HR and legal early and often as the gig worker environment evolves."