Assessing Cybersecurity Risks in the Uber-Indian Defence MoUs: Protecting Sensitive Data and Operational Security

There have been no. of reactions and discussions on social media about the recent MoU signed between Uber and Indian Air Force which also brings back into focus a previous similar MoU of Uber with the Indian Navy in Sept 2023. The MoU between Uber and the Indian  Airforce and Indian Navy raises several cybersecurity considerations. These concerns stem from the handling of sensitive personal and operational data for Defence personnel, their dependents, and potentially for internal movement patterns.

Considering Uber's history of data breaches, including two significant incidents that exposed customer and driver information, the cybersecurity implications of this MoU with the Indian Airforce and Indian Navy becomes even more critical. The previous breaches highlight potential vulnerabilities in Uber’s systems that could increase risks for the sensitive nature of the Defence Force’s operational and personal data.:

1.  Data Privacy Risks: The MoU requires Defence personnel and their dependents to use Uber profiles linked with their personal information (such as phone numbers and email addresses). Any data leakage or unauthorized access to these accounts could compromise personal details and potentially expose information on official travel routes and timings.Uber’s past breaches involved the exposure of personal information like names, phone numbers, and email addresses. For the Defence Forces, this raises concerns that similar breaches could expose personal information of military personnel and their families. Even if this data is not directly sensitive, such exposure could lead to targeted phishing, social engineering, or tracking of Defence Force personnel’s routines.

2. Operational Security (OpSec) Risks: The movement patterns of Defence personnel could be indirectly inferred through their ride history, even if no classified information is shared. Over time, this data could reveal potentially sensitive information regarding Defence personnel’s daily routines, facilities frequently visited, or sensitive operations, leading to a heightened OpSec risk.Given the sensitivity of the Defence Force’s movement patterns, a data breach could enable adversaries to track commuting patterns, frequented locations, or other indirect indicators of operational activities. If attackers gained access to ride history or scheduling, this could compromise personnel safety and national security. Since Uber has previously been breached, there is a concern that its security architecture may still be a target.

3. Profile and App Security: The creation of specialized profiles on the Uber app implies storing personal and potentially sensitive information. If not well-protected, such data could be exploited by cybercriminals through account takeovers, data leaks, or phishing attacks targeting military personnel.

4. Third-Party Data Management: Uber, as a third-party vendor, is handling the data of a sensitive government sector. Although Uber likely has its own data protection measures, reliance on third parties for sensitive information always carries inherent risks, including the potential for insider threats or accidental data exposure through inadequate security controls.With Uber’s past breaches in mind, reliance on a third-party like Uber for sensitive data raises red flags. Even if Uber has improved its security posture, residual vulnerabilities could exist. Unauthorized access by external actors could allow attackers to monitor Defence Force personnel’s travel activities or potentially manipulate data, making strong third-party security agreements and regular audits essential.

5. Phishing and Social Engineering: The instructions for activation and registration involve clicking on emailed links and submitting details through Google Forms. This could be exploited by attackers posing as Uber representatives in phishing attempts, leading to credential theft or the installation of malware if personnel mistakenly engage with malicious versions of these emails.Past breaches at Uber underscore the importance of secure communication channels. If Defence personnel and their dependents are targeted using breached information, they might fall victim to identity theft, phishing schemes, or unauthorized access attempts on other platforms. Attackers could use compromised data to impersonate support services, extract additional sensitive information, or spread malware.

6. Incident Response and Uber’s Track Record: Uber’s handling of previous breaches has been criticized for lacking transparency and promptness. Relying solely on Uber’s business support for data-related incidents could lead to delays, heightening security risks for Navy personnel. To mitigate this, it’s essential to establish clear, enforceable incident response protocols and ensure ongoing coordination between the Navy’s cybersecurity team and Uber’s. This proactive approach would support timely detection, swift response, and transparent communication in the event of a security issue.

    
   

 Uber MoU With Indian Navy Sept 2023

Mitigations: To address these risks, the Indian Defence Forces and Uber should consider implementing the following mitigations:

• Enhanced Data Encryption and Anonymization: Uber should implement encryption for both data at rest and in transit, with specific protocols to anonymize ride history and user profiles associated with Defence Force personnel to minimize the risk if data is accessed. 
• Data Minimization and Encryption: Uber should minimize the amount of data collected, encrypt sensitive information, and store data securely. Regular audits and compliance checks should be carried out.
• Clear Security Guidelines for Personnel: The Defence Force Personnel should provide clear cybersecurity guidelines, educating personnel about phishing risks and safe handling of official and personal information.
• Strict Access Controls: Enforcing multi-factor authentication (MFA) on these Uber profiles can mitigate unauthorized access. Uber should also be restricted in data access, using "only the necessary data required for service delivery". Uber should implement strict access controls for data associated with Defence Force personnel, including role-based access control, multi-factor authentication, and session logging to monitor and limit data access. 
• Collaborative Incident Response Plans: Uber should work closely with the Defence Force's cybersecurity units to create a comprehensive incident response strategy and ensure prompt responses to security issues affecting Defence personnel.
• Security Audits and Compliance Requirements: Given the sensitive nature of the users, Uber should undergo regular security audits and vulnerability assessments specific to this contract. The Defence Force could mandate compliance with a specific cybersecurity framework, such as ISO 27001 or NIST standards, as a prerequisite.
• Cybersecurity Awareness Training for Personnel: Educating Defence Force personnel on cybersecurity risks, such as phishing and suspicious app permissions, is essential. Given Uber’s breach history, personnel should be made aware of the importance of secure account management, cautious interaction with links, and monitoring for suspicious activity.

Such measures would enhance the security of personal and operational data, ensuring that the Defence Force's engagement with Uber remains secure and resilient against potential cyber threats. By implementing these measures, the Indian Defence Forces can mitigate the cybersecurity risks tied to partnering with Uber. Enhanced scrutiny and proactive risk management would ensure greater protection for sensitive personal and operational data, given the vulnerabilities exposed by Uber’s previous breaches.