Smartphone attached to a car mount in car with Uber logo at night showing lessons from the Uber breach settlement
Lessons from the Uber Breach Settlement

Lessons from the Uber Breach Settlement

The Uber case that involved the exposure of personal information of tens of millions of people has been settled, and the pioneering ride hailing company is facing some heavy fines to go along with the considerable brand damage that they have already experienced. The Uber breach settlement should be a strong caution to any tech company that handles personal data, but especially those that have sensitive information stored on third-party cloud servers.

The hack of Uber’s database took place on Nov 6, 2016, but the company learned about the breach a month later and then kept the matter hidden for nearly a full year. The hackers stole account information, including names, email addresses and cellphone numbers, for 50 million riders and 7 million drivers, among which were about 600,000 driver’s license numbers. The hackers then held Uber to ransom, receiving a payment of $100,000 to not go public about the breach. It was not the first offense of this nature for Uber, which had failed to disclose a smaller data breach in 2014.

Penalties and promises

The Uber breach settlement, which involves the governments of all 50 states, is one of the largest in history for a data privacy case. Announced by California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón, the company agreed to pay $148 million in total, which will be distributed among all of the states and the District of Columbia. In addition to the sheer scope, what makes the case unique is that Uber was being held to account not just for failing to provide notice of the breach (in accordance with each state’s individual data privacy laws) but also for engaging in deceptive trade practices. The state of Texas claimed that Uber violated their Deceptive Trade Practices Act by claiming to secure user data but failing to actually provide adequate security.

In addition to the fine, Uber has agreed to implement new security measures as part of the settlement. These include a new password policy for employees, a revamped data security policy for all personal data collected by the company, a corporate integrity program and third-party monitoring of the company’s data security practices.

“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust and Security Officer,” Uber Chief Legal Officer Tony West said in a statement. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”

Though the embattled company opted to settle the case before it went to trial, the fact that the states so clearly won the Uber breach settlement is important. It sets an informal precedent that other companies will need to pay attention to.

Ramifications of the Uber breach settlement

Nearly every tech company that handles personal and private data will be compelled to make some changes as a result of the Uber breach settlement. As Tim Erlin, VP of product management and strategy at Tripwire puts it, “While this settlement is directly related to the incident at Uber, its impact extends well beyond one company. A successful lawsuit with a meaningful financial impact reminds other organizations about the full range of cybersecurity risks. Financial settlement and fines are part of the risk equation when weighing out the costs and benefits of cybersecurity … There’s no doubt that the cover-up behavior was impactful in how this settlement played out. It’s a good reminder to all organizations of how a good breach response plan can help avoid poor decision-making in the midst of an incident.”

A company that is unconcerned with ethical or moral considerations might have previously decided to forego proper cybersecurity measures, if they felt those measures would cost more than any fines and consequences from a breach. Given Uber’s history of ethical lapses under former CEO Travis Kalanick’s reign, it could be argued that was their intent. It might also have been a negligent lack of preparedness combined with a panic decision. Whatever the case, the Uber breach settlement demonstrates that the stakes are now too high for cybersecurity to be at the bottom of anyone’s budget priority list. As Pravin Kothari, CEO of CipherCloud noted: “Uber’s payment of $148 million to settle compliance mismanagement is without precedent. The first problem was bad enough – a breach which granted hackers access to the personal information of over 57 million riders and drivers. The second problem was much worse – Uber evidently paid the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident. A blatant disregard for governance and compliance, putting customers at risk. The takeaway lesson is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”

The regulatory future

The current patchwork of state regulations was enough to take a significant bite out of Uber. Tech industry analysts are almost universally expecting laws and fines to get even tougher, modeled primarily after the recently-adopted EU General Data Protection Regulation (GDPR). Paul Bischoff, privacy advocate with Comparitech.com, comments on how California is ahead of the game in this regard (and was a particularly bad place to attempt subterfuge): “Uber compounded its troubles when it made the decision to hide the data breach in violation of California law. California has some of the strictest privacy laws in the nation, and it requires data breaches be publicly disclosed. Had there been no cover-up, the incident would have passed with relatively little commotion. After all, the information leaked in the breach wasn’t particularly sensitive—no financial information or passwords were exposed. To me, this fine is more about Uber’s dishonesty than justice for victims.”

Need for proactive cybersecurity measures

The Uber breach settlement not only demonstrates the general need for all companies to protect their customers (and themselves) with proper proactive cybersecurity measures, but also highlights some specific areas that are in particular need of reinforcement.

The vulnerability used to attack the ride hailing company was simple; the hackers worked their way into a private Github repository used by Uber developers, where they found AWS login keys within shared code. Github was a popular target for hackers looking for this sort of thing long before the breach occurred. While these cloud-based repositories are critical tools for internationally distributed teams to collaborate, it has become clear that they also need security protocols in place and to be reviewed regularly. As Tal Guest, principal product manager at Bomgar points out: “Another unfortunate event like this reinforces why it is so critical for organizations to have a secure strategy for managing privileged and remote access to their systems. Especially if those systems store sensitive information for internal employees or customers … Remote access and stolen/compromised privileged credentials continue to be two of the most exploited pathways for bad actors looking to break through the attack surface and compromise secure data.  With the ever-growing environments of connected systems and devices, the job of securing privileged credentials, identities, and remote access is an absolute necessity.  It is imperative that organizations realize these threats and take extensive actions to shrink their attack surface.”

Companies also need a clear and regularly-tested response plan in the event of a breach. While Uber’s ethics are certainly questionable, much of the fallout appears to be the result of being caught with their pants down. A clear breach response protocol might well have pre-empted the poor decision to pay off the attackers and try to cover it up by calling it a “bug bounty.”

And until a set of federal regulations is drawn up, companies need to be aware of the specific data breach notification requirements in all of the states they operate in. Response plans will need to incorporate each of these unique sets of requirements as needed.

Settling on the settlement lessons

Uber’s decision to cover up this breach was a blatant attempt to mislead both consumers and contractors as to the safety of their personal data. Not only are they paying the price in terms of heavy fines, but also in long-term damage to their brand. An honest disclosure of the breach (in keeping with state laws) followed by a public commitment to better security would have been much less costly for the company but, not surprisingly, a company with a history of ethical lapses opted for an ethical lapse instead.

California companies already have stronger data protection requirements to consider, but companies that operate in other states would be wise to pro-actively scramble to have solid breach response and security protocols in place. GDPR-style regulation seems to be a matter of “when” rather than “if” at this point. If absolutely nothing else, the Uber case and settlement should be a giant warning sign to all data-handling companies that third-party activity has to be handled with the same level of caution and security that their local networks and data storage are handled with. If cloud-based collaboration tools like Github can’t be properly secured, then some other solution that can be needs to be found.