CEO DailyCFO DailyBroadsheetData SheetTerm Sheet

The key to cybersecurity crises at Twitter, Uber, and Take-Two Interactive? Reducing human error

September 19, 2022, 6:11 PM UTC
George Frey—Getty Images

For the cybersecurity industry, bad things came in threes last week.

First, former Twitter security chief Peiter “Mudge” Zatko warned a congressional committee of major security vulnerabilities at the company that put millions of users’ personal information at risk.

On Thursday night, Uber confirmed that it fell victim to a debilitating cyberattack in which a hacker appeared to have gained access to large swaths of its internal systems. (Uber said Friday that there’s “no evidence” the hacker accessed sensitive user data, though cybersecurity observers weren’t wholly convinced.)

Then, over the weekend, a hacker leaked dozens of videos appearing to depict early footage from Take-Two Interactive’s highly anticipated Grand Theft Auto VI video game, an unprecedented leak in the gaming industry. Take-Two Interactive confirmed the leak Monday morning. A hacker claiming responsibility suggested they are holding additional work products for ransom.

The natural inclination is to draw some kind of sweeping conclusion from this trio of cyber incursions, particularly at a time when more employees are working from home in settings that might be more vulnerable to attacks. But the three incidents bear distinct differences that, in the end, merely reinforce every employee’s shared responsibility in combating digital dangers.

The Twitter brouhaha centers primarily on the highest levels of management, with Zatko alleging that current CEO Parag Agrawal and former CEO Jack Dorsey neglected to implement much-needed cybersecurity upgrades. While the company hasn’t experienced a major breach since late 2021, when a hacker exploited a software vulnerability to download data on 5.4 million users, Zatko said Twitter’s systems are unnecessarily exposed owing to underinvestments in cybersecurity. (Twitter officials have refuted the claims, saying that Zatko’s poor performance and ineffective leadership led to his firing.)

The Uber attack, meanwhile, appears to stem from rank-and-file employees failing to heed basic cybersecurity warnings.

A hacker claiming responsibility for the Uber breach told the New York Times that they gained access to company systems after impersonating a corporate information technology staffer and convincing a worker to provide a password. (Uber has neither confirmed nor denied this account.)

Details about the source of the Take-Two Interactive hack also are scant, though Bloomberg gaming reporter Jason Schreier tweeted Sunday that “the running theory is that their Slack was compromised.”

In the wake of the hacks, a chorus of cybersecurity experts, politicians, and social media pundits have floated all sorts of solutions. Zatko suggested that the federal government—namely, the understaffed Federal Trade Commission—ramp up oversight of companies that have lost private user data to hackers. Industry leaders pushed for better multifactor authentication procedures, such as requiring special hardware attached to computers to control employees’ access to corporate systems.

It’s all well and good. But in the cases of Twitter (assuming Zatko is right) and Uber (assuming the purported hacker’s comments are true), human judgment remains the biggest vulnerability.

If Twitter has truly “made little meaningful progress on basic security, integrity, and privacy systems,” as Zatko alleged in a whistleblower complaint, that’s a reflection of derelict management. If an Uber staffer could not discern the difference between a huckster and a genuine IT coworker, that’s a failing of the employee and cybersecurity management.

“General cybersecurity awareness training, penetration testing, and anti-phishing education are powerful deterrents to such attacks,” Neil Jones, director of cybersecurity evangelism at cloud security company Egnyte, told VentureBeat. But even the best trained of us will occasionally slip up, especially when dealing with a wily scammer.

Interestingly enough, Wall Street appears to have priced hacks into its valuation of companies. Uber shares only fell 4% on Friday, compared with a 1% drop in the Nasdaq Composite, a pretty modest decline given the hacker’s claims of extensive infiltration. Take-Two Interactive’s stock price was unchanged in midday trading Monday, mirroring the Nasdaq Composite.

Maybe investors realize that there’s no silver bullet for preventing every cybersecurity mistake.

Want to send thoughts or suggestions for Data Sheet? Drop me a line here.

Jacob Carpenter

NEWSWORTHY

Wanted: The truth. South Korean authorities and TerraForm Labs cofounder Do Kwon issued conflicting statements over the weekend about the cryptocurrency entrepreneur’s level of cooperation following the issuance of an arrest warrant, Bloomberg reported. Do Kwon, who oversaw the $60 billion collapse of the TerraUSD and Luna tokens, tweeted Saturday that he is in “full cooperation” with government agencies. However, South Korean officials subsequently responded that he is “obviously on the run” and refusing to cooperate with investigators.

Back at the bottom. Bitcoin values slumped Monday to their lowest price since June, and Ethereum surrendered its post-merge bump, largely the result of fears that interest rates will continue to rise, CNBC reported. Bitcoin briefly fell below $18,500 for the first time in three months before bouncing back to about $18,900 as of Monday afternoon. Ethereum values are down 22% in the past week, despite a long-awaited shift Thursday to a new, more environmentally friendly mining protocol.

A monster IPO. Volkswagen expects to raise about $9 billion from its initial public offering next week of a minority stake in Porsche, the Associated Press reported Monday. The German automaker is selling off up to 25% of the luxury brand to help fund its adoption of electric vehicles. The company’s IPO price range equates to $8.7 billion to $9.4 billion, slightly below analyst estimates that suggested Volkswagen could bring in about $10 billion.

Up and fully running. Tesla completed Monday its monthslong project to expand production capacity at its Shanghai assembly plant, an endeavor delayed several months by COVID-related shutdowns in China, Reuters reported. The electric-auto maker expects to produce double the amount of vehicles at the Shanghai facility following the completed upgrades, helping the company in China’s competitive electric vehicle market. Tesla expects to continue testing on parts of the upgraded assembly lines through the end of November.

FOOD FOR THOUGHT

If the shoe fits. Nike wants to provide Amazon-level delivery service to its shoe and apparel shoppers. Insider reported Monday that Nike is adopting some of the e-commerce giant’s logistics and inventory tactics, part of an effort to meet consumers’ expectations for two- or three-day delivery. Nike hopes to better integrate its physical stores with its digital marketplace, speeding up the delivery of products through a more regional approach to shipping. The shift follows similar plans enacted in recent years by Walmart, Target, and Dick’s Sporting Goods.

From the article:

[Nike’s] larger connected-inventory plan is the latest example of the pressure Amazon has put on companies, even one of the largest companies in the world, to compete on delivery speed.

“Everyone has gotten used to Amazon,” Brian Yarbrough, an Edward Jones senior research analyst, said. “Most retailers are trying to get it down to two to three days. Amazon created this. Amazon does same day now. Amazon has conditioned consumers to have much higher expectations for fast shipping times.”

IN CASE YOU MISSED IT

The GIF company is telling Europe it’s so ‘cringe’ that Meta should be allowed to buy it, by Steve Mollman

How Figma founder and college dropout Dylan Field went from being a LinkedIn intern to a billionaire in just a decade, by Lucy Brewster

These tech companies are accelerating permanent carbon removal to save the planet, by Lisa Held

How good are the new Apple Watch Ultra and iPhone 14?, by Zijia Song and Bloomberg

The Choco Taco’s last hurrah will be a digital scavenger hunt, by Chris Morris

The U.S. is overdue for a dramatic shift in its cybersecurity strategy–but change is finally coming, by Andrew Rubin

BEFORE YOU GO

Better call Clearview. Dystopian facial-recognition technology finally worked in the criminal defense bar’s favor—though a one-off case might not be enough to salvage its reputation. The New York Times reported Sunday that a defense lawyer in southwest Florida used Clearview AI products to identify a crucial witness in a vehicular homicide case, one whose testimony ultimately led to prosecutors dropping serious felony charges against a man wrongly accused of causing a deadly crash. Police working the crash scene captured video of the witness, who pulled the defendant from the passenger seat of the car, but they didn’t take down his name or contact information. After months of searching, a defense lawyer tapped Clearview AI—best known for providing law enforcement and companies with access to databases with billions of faces—to see if their technology could trace the witness through his appearance in the video. Sure enough, defense lawyers had an ID on the witness within seconds of accessing the tool. Clearview AI said it will now allow public defenders to use their products, but critics of the company said the technology still amounts to a major invasion of privacy.

This is the web version of Data Sheet, a daily newsletter on the business of tech. Sign up to get it delivered free to your inbox.