Recent news of a massive data breach at Uber that occurred in 2016 couldn’t come at a worse time for this troubled company. Uber, after all, is already facing a wide range of civil and criminal probes, including one related to foreign bribery charges. This formerly undisclosed Uber breach that affected 57 million people is particularly damaging because it shows the near complete lack of care at the company with regard to customer data – as well as the company’s inability to learn from previous security mishaps.
It’s not as if Uber shouldn’t know better. In August 2017, the Federal Trade Commission (FTC) levied penalties on Uber for below-standard privacy and security practices that dated back to 2014. Nearly three years before this current Uber breach, then, the company was already playing fast and loose with customer data. The involvement of the FTC into investigating those data breach incidents should have been a wakeup call for Uber – but it wasn’t.
Instead, it now appears that Uber attempted to cover up a massive breach that affected 57 million Uber riders and drivers. Uber paid a $100,000 ransom to hackers to make the problem go away, but the Uber Chief Security Officer never divulged any details of this Uber breach to regulators or customers. That, despite the fact that 48 of 50 U.S. states require a company to self-report a significant data breach.
Since the 2016 Uber breach involved the unmasking of names, email addresses and phone numbers – in addition to driver’s license numbers and potentially also Social Security Numbers – it should have immediately triggered a data breach notification. Instead, Uber seemed to be content that enough had been done as long as the downloaded data had been destroyed.
Can Uber ever rebuild consumer trust after this data breach?
The public response to this Uber breach – even though it is more than a year old – has already been swift. At least three U.S. states – Illinois, New York and Connecticut – now appear to be readying court cases against Uber for covering up this data breach. The New York Attorney General, for example, has already warned of swift penalties.
And, within 48 hours after Bloomberg reported this Uber breach, two class-action lawsuits were underway within California. According to early details made available, these class-action suits will claim that Uber was “grossly negligent” in its data and security practices, failing to show a reasonable standard of care in protecting data.
In fact, Uber was apparently so negligent when it came to protecting data that it may have failed to even set up an intrusion detection process to protect its data. That raises serious concerns about just how seriously the subject of data privacy was ever held at Uber by executives such as Chief Security Officer Joe Sullivan. It seems incomprehensible that a company, already facing FTC probes for weak data security practices, would have failed to institute even the most basic of safeguards.
Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.
Terry Ray, CTO of Imperva
Terry Ray, CTO of Imperva, has suggested that Uber failed to ask a series of basic questions that might have prevented the security breach in the first place: “Some of the questions that should be answered include: Why did engineers have access to 57 million records of personally identifiable information? Did they go through an approval work flow to move that data online? Did Uber security have any monitoring in place to alert them when such vast amounts of data were accessed? Controls to alert on suspicious data access do exist, but my guess is that they were not used, which is all too typical in today’s enterprises.”
This Uber breach might finally be the event that alerts consumers to the various ways that companies are using (and misusing) their data. Uber has already become an extraordinarily controversial company, and given the profusion of new ride hailing services that are available today, it would conceivably be very easy for customers to take their business elsewhere. If Uber isn’t going to sit up and pay attention to federal regulators, the company will surely pay attention to a shrinking customer base, right?
Implications of the Uber breach on the company’s future
There is still time for Uber to try to rectify matters, both with regulators and customers. The company’s new CEO Dara Khosrowshahi seems to be much more willing to accept the company’s security flaws than the previous Uber chief. The company apologized on behalf of every Uber employee and has committed to learn from its mistakes. In the future, it is clear, the company won’t attempt to keep a breach quiet.
But is that late apology enough? Uber has always prided itself on being one of the tech world’s darlings with a passionate consumer base. If Uber is really serious about repairing its reputation, then it will have to show that it is eager to work with regulators and lawmakers – and not attempt to fight them or forestall future litigation.
According to Steven Bearak, CEO of IdentityForce, Uber needs to act quickly to address this latest controversy, “Although Uber has posted details of the breach in an apology on their web site, if there are any further details to come out about the hack, they must make all information available immediately. They should also consider setting up resources for their customers as well, not just their drivers, that would empower everyone to protect their own personal information. Additionally, establishing a dedicated hotline and call center where their drivers and customers can call to ask questions and raise concerns would also be key to providing an open line of communication. Transparency is also key in asking for forgiveness.”
If Uber is going to truly change how they do business and put integrity at the center of their decision-making process, they must also back this up quickly for consumers.
Steven Bearak, CEO of IdentityForce
But how much time does Uber really have? After all, it now looks like the legal process is being set into motion within the United States. And European regulators have also chimed in on the matter, noting that U.S. tech giants such as Uber need to clean up their data privacy practices.
With the new European General Data Protection Regulation (GDPR) scheduled to go into effect in May 2018, the idea that U.S. tech giants still haven’t gotten a handle on their data protection processes could mean that the key European market could become a lot harder for U.S. tech companies to access. That, too, will surely weigh on Uber’s bottom line if it can no longer expand in cities like Paris or Berlin.
Lessons from the Uber breach for other fast-growing tech companies
The lesson for the Ubers of the world is clear: data privacy matters. At one time, it only mattered how innovative a Silicon Valley tech giant was and how fast it could grow. That image is what attracted customers – young millennials wanted to be part of a disruptive company that was changing the rules of business at a very rapid pace. That’s what made it so trendy to sign up for a service like Uber. But now, after years of security breaches at America’s top companies, the perception of what makes a “market leader” finally seems to be changing.
Tim Erlin, VP of Product Management and Strategy at Tripwire, has suggested that the long-term impact on consumer confidence could be significant, “A cover-up like this can’t help but drive the question of what other breaches are known, but kept quiet. It can’t help but damage consumer confidence, not just in Uber, but in any company collecting personal data.”
Tech companies now have a responsibility to their customers to be at the forefront of data security and privacy. Being able to guarantee your customers and users that their data is safe from hackers is what may give some companies a competitive advantage. These customers don’t want their personal information – and certainly not their driver’s license information – being compromised by hackers.
The Uber breach could be a wake-up call for customers
Some pundits in the media have suggested that customers have been desensitized as a result of hearing about data breach after data breach. After a certain point, the names of the companies start to blur together – Anthem, Equifax, Target, Home Depot and Uber have all made headlines. Until now, customers haven’t reacted strongly. And so companies have apparently taken that lack of concern to mean that they shouldn’t be wasting important financial and IT resources on a problem if customers don’t care.
Consumers now have to worry about undisclosed breaches in addition to undiscovered breaches.
Tim Erlin, VP at Tripwire
But as the lawsuits mount – and as the Uber breach remains in the public eye – it could mean a day of reckoning for companies that have been hiding security breaches, paying hacker ransoms, and being grossly negligent in their practices.
As Bearak notes, “With 2017 being the biggest breach year to-date, it’s clear that consumers are realizing that yes, in fact their personal information is everywhere. We must all realize that cyber criminals know how to find our personal information and how to use it to claim our identities. Scammers even know how to patch pieces of identities together, known as synthetic identity fraud, to create even more attractive versions of our financial selves. It could even take over a year before the impact of having pieces of your personal information breached appear in your life and create massive headaches around restoring your good name and identity.”
The current debate over data privacy, which has largely remained off the radar of most consumers, could suddenly become a very big deal in 2018 as the scale and scope of these data breaches continue to mount.