Recent news of a massive data breach at Uber that occurred in 2016 couldn’t come at a worse time for this troubled company. Uber, after all, is already facing a wide range of civil and criminal probes, including one related to foreign bribery charges. This formerly undisclosed Uber breach that affected 57 million people is particularly damaging because it shows the near complete lack of care at the company with regard to customer data – as well as the company’s inability to learn from previous security mishaps.
It’s not as if Uber shouldn’t know better. In August 2017, the Federal Trade Commission (FTC) levied penalties on Uber for below-standard privacy and security practices that dated back to 2014. Nearly three years before this current Uber breach, then, the company was already playing fast and loose with customer data. The involvement of the FTC into investigating those data breach incidents should have been a wakeup call for Uber – but it wasn’t.
Instead, it now appears that Uber attempted to cover up a massive breach that affected 57 million Uber riders and drivers. Uber paid a $100,000 ransom to hackers to make the problem go away, but the Uber Chief Security Officer never divulged any details of this Uber breach to regulators or customers. That, despite the fact that 48 of 50 U.S. states require a company to self-report a significant data breach.
Since the 2016 Uber breach involved the unmasking of names, email addresses and phone numbers – in addition to driver’s license numbers and potentially also Social Security Numbers – it should have immediately triggered a data breach notification. Instead, Uber seemed to be content that enough had been done as long as the downloaded data had been destroyed.
Can Uber ever rebuild consumer trust after this data breach?
The public response to this Uber breach – even though it is more than a year old – has already been swift. At least three U.S. states – Illinois, New York and Connecticut – now appear to be readying court cases against Uber for covering up this data breach. The New York Attorney General, for example, has already warned of swift penalties.
And, within 48 hours after Bloomberg reported this Uber breach, two class-action lawsuits were underway within California. According to early details made available, these class-action suits will claim that Uber was “grossly negligent” in its data and security practices, failing to show a reasonable standard of care in protecting data.
In fact, Uber was apparently so negligent when it came to protecting data that it may have failed to even set up an intrusion detection process to protect its data. That raises serious concerns about just how seriously the subject of data privacy was ever held at Uber by executives such as Chief Security Officer Joe Sullivan. It seems incomprehensible that a company, already facing FTC probes for weak data security practices, would have failed to institute even the most basic of safeguards.
Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.
Terry Ray, CTO of Imperva
Terry Ray, CTO of Imperva, has suggested that Uber failed to ask a series of basic questions that might have prevented the security breach in the first place: “Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.”
This Uber breach might finally be the event that alerts consumers to the various ways that companies are using (and misusing) their data. Uber has already become an extraordinarily controversial company, and given the profusion of new ride hailing services that are available today, it would conceivably be very easy for customers to take their business elsewhere. If Uber isn’t going to sit up and pay attention to federal regulators, the company will surely pay attention to a shrinking customer base, right?