The Uber case that involved the exposure of personal information of tens of millions of people has been settled, and the pioneering ride hailing company is facing some heavy fines to go along with the considerable brand damage that they have already experienced. The Uber breach settlement should be a strong caution to any tech company that handles personal data, but especially those that have sensitive information stored on third-party cloud servers.
The hack of Uber’s database took place on Nov 6, 2016, but the company learned about the breach a month later and then kept the matter hidden for nearly a full year. The hackers stole account information, including names, email addresses and cellphone numbers, for 50 million riders and 7 million drivers, among which were about 600,000 driver’s license numbers. The hackers then held Uber to ransom, receiving a payment of $100,000 to not go public about the breach. It was not the first offense of this nature for Uber, which had failed to disclose a smaller data breach in 2014.
Penalties and promises
The Uber breach settlement, which involves the governments of all 50 states, is one of the largest in history for a data privacy case. Announced by California Attorney General Xavier Becerra and San Francisco District Attorney George Gascón, the company agreed to pay $148 million in total, which will be distributed among all of the states and the District of Columbia. In addition to the sheer scope, what makes the case unique is that Uber was being held to account not just for failing to provide notice of the breach (in accordance with each state’s individual data privacy laws) but also for engaging in deceptive trade practices. The state of Texas claimed that Uber violated their Deceptive Trade Practices Act by claiming to secure user data but failing to actually provide adequate security.
In addition to the fine, Uber has agreed to implement new security measures as part of the settlement. These include a new password policy for employees, a revamped data security policy for all personal data collected by the company, a corporate integrity program and third-party monitoring of the company’s data security practices.
“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust and Security Officer,” Uber Chief Legal Officer Tony West said in a statement. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
Though the embattled company opted to settle the case before it went to trial, the fact that the states so clearly won the Uber breach settlement is important. It sets an informal precedent that other companies will need to pay attention to.
Ramifications of the Uber breach settlement
Nearly every tech company that handles personal and private data will be compelled to make some changes as a result of the Uber breach settlement. As Tim Erlin, VP of product management and strategy at Tripwire puts it, “While this settlement is directly related to the incident at Uber, its impact extends well beyond one company. A successful lawsuit with a meaningful financial impact reminds other organizations about the full range of cybersecurity risks. Financial settlement and fines are part of the risk equation when weighing out the costs and benefits of cybersecurity … There’s no doubt that the cover-up behavior was impactful in how this settlement played out. It’s a good reminder to all organizations of how a good breach response plan can help avoid poor decision-making in the midst of an incident.”
A company that is unconcerned with ethical or moral considerations might have previously decided to forego proper cybersecurity measures, if they felt those measures would cost more than any fines and consequences from a breach. Given Uber’s history of ethical lapses under former CEO Travis Kalanick’s reign, it could be argued that was their intent. It might also have been a negligent lack of preparedness combined with a panic decision. Whatever the case, the Uber breach settlement demonstrates that the stakes are now too high for cybersecurity to be at the bottom of anyone’s budget priority list. As Pravin Kothari, CEO of CipherCloud noted: “Uber’s payment of $148 million to settle compliance mismanagement is without precedent. The first problem was bad enough – a breach which granted hackers access to the personal information of over 57 million riders and drivers. The second problem was much worse – Uber evidently paid the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident. A blatant disregard for governance and compliance, putting customers at risk. The takeaway lesson is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”