In mid-November 2017, popular ridesharing service Uber disclosed that in 2016, hackers breached their systems and stole the account information of more than 57 million drivers and riders. Uber further revealed that they buried this story for more than a year, paying a ransom of $100,000 to the hackers – against the recommendation of the FBI – to keep this breach out of the public eye.
After this revelation, Uber was highly criticized for failing to be transparent and for supporting cyber criminal activity by paying the ransom. Uber also faced a number of penalties, lawsuits, and investigations that created a PR nightmare — proving that a cover up backfires in a big way.
Uber’s failure to immediately disclose the hack (and subsequent ransom payment) is an example of what not to do in the aftermath of a data breach. Read below to find out more about the data breach, how costly it was for Uber, and what you can do to prevent your company from falling into the same mishap.
The Company and the Cover-Up
Similar to the 2016 breaches at Yahoo and the September 2017 Equifax breach, the Uber breach compromised personal data, which included customer names, phone numbers, email addresses, and home addresses. Although the Uber breach was smaller in scale than the others, it was still devastating and costly for Uber.
Critics quickly took aim at Uber executives for their unwillingness to take immediate responsibility and their propensity to hide the hack to maintain a positive reputation. In fact, some of the sharpest criticism was levied upon Uber for its tactics after paying the ransom. After Uber officials discovered the identities of the hackers, they encouraged them to sign non-disclosure agreements in an attempt to label the process — including the ransom payout — a part of Uber’s “bug bounty.”
Uber’s bug bounty is a voluntary program in which users are paid if they find exploitable security flaws in Uber’s software. After criticism from the 2016 breach, Uber decided to revisit the provisions and rewards of the program, specifically clarifying what “good faith” entails.
The lengths to which Uber officials went in order to protect Uber’s image has called the company’s ethics into question. Their shady dealings prove that if you cover up a data breach, especially when user data is stolen, it will hurt your company’s reputation and damage user trust — trust that is hard to build initially, but even tougher to regain.
As part of the fallout from the 2016 breach, Uber fired their chief security officer, Joe Sullivan, as well as Craig Clark, their legal director of security and law enforcement. Former Uber CEO Travis Kalanick was also scrutinized for this breach, even though he’d been forced out of his position months prior to the cover-up revelations.
Dara Khosrowshahi was named CEO after Kalanick was ousted, and he detailed his reaction to the hack and cover up in a blog post. As part of the company’s response, Uber retained the services of Matt Olsen, former general counsel of the U.S. National Security Agency, to help with structuring their security moving forward. The company also provided drivers affected by the breach with free credit monitoring and identity theft protection.
However, Uber did not contact riders whose accounts were compromised and instead suggested that the company would monitor those accounts and flag them for additional protection. This created a lot of suspicion about Uber’s policies in regards to customer data and data security. It also illustrates why customer data should be a top concern for your company.
Many states, including Illinois, Massachusetts, New York, Connecticut and California — and even the Italian Data Protection Authority — began to investigate this data breach to determine whether Uber broke any state, federal, or international laws. Uber was also questioned for lying to the Federal Trade Commission (FTC) while under investigation. The dust continues to settle, with recent news breaking of Uber agreeing to stricter FTC requirements, as well as the Pennsylvania attorney general filing a lawsuit against Uber because of the breach.
What You Can Learn From Uber
As a business owner, you can learn quite a few lessons from Uber. Two of the most important takeaways are that accountability and transparency are the best responses in the event of a data breach — and this is even more important when customer data is compromised. Attempts to conceal a breach will only erode the trust of the public, and the PR fallout will be doubly damaging.
Additionally, attempting to conceal a breach could put your business in legal jeopardy, and running afoul of the law also does not create a positive brand image scenario. Add lawyer fees, penalties, and fines to the mix, and an attempted cover up could end up costing a lot more than your company’s reputation.
A wise first step toward protecting your business is to start with a trusted cybersecurity system. Your security system is the first line of defense against a hack, and it could mean the difference between keeping data safe or losing it — along with your customer’s trust — in a massive data breach.
If you are concerned about the strength of the cybersecurity methods in use at your business, contact our team at Sentek Cyber.