Uber Kept A Massive Data Breach Under Wraps For More Than A Year, Despite 57 Million Clients And Drivers Being Affected.
Uber, a popular ride-sharing company servicing clients worldwide, is in hot water once again. This time, over the revelation that the company was hacked over a year ago and chose to quietly pay off the cybercriminals behind the attack. In exchange for $100,000, the two hackers are said to have agreed to delete the data they stole from Uber, and keep what they’d done to themselves.
Roughly 50 million Uber clients and 7 million Uber drivers had their personal information compromised by this data breach. Drivers had their names and driver’s license numbers exposed, while riders had their names, email addresses, and cell phone numbers exposed. However, Uber was quick to reassure the public that forensic experts weren’t able to find anything that indicated riders’ credit cards, bank account numbers, Social Security numbers, dates of birth, or ride history (and the addresses attached to those rides) were compromised.
And while there is also no indication that the hackers who got their hands on this data used any of it for fraudulent purposes, the fact remains that Uber – or at least certain staff members – was aware of this breach and chose not to disclose that the hack had happened.
By not notifying both the individuals whose data was stolen and the proper authorities, Uber violated several legal and ethical guidelines. California law requires businesses to report these types of cyber incidents to both the state attorney general, and the individuals affected by the crime.
Not every state has the same requirements as California, however, which is problematic for consumers for a number of reasons. Intivix’s own Mark Simmerman spoke with the SF Chronicle earlier this week and pointed out that this particular breach is a great example of why a national standard for dealing with these breaches is needed.
Inconsistencies in regulations and laws from state to state make it far too easy for companies to brush off these cyber attacks without feeling pressured to come forward and notify the public and the proper authorities. Without clear guidelines for businesses to follow when a breach happens, those businesses can’t do what’s necessary to protect their clients – whether the breach was the business’ fault or not.
As one of our senior security engineers, Mark has seen how easy it is for a small vulnerability or oversight to create a situation like this for businesses. While attacks can’t always be prevented outright, knowing what to do, who to contact, and how to help authorities help your business can make a painful and embarrassing situation much less stressful to deal with.
Uber’s biggest mistake wasn’t how they chose to deal with the hackers who targeted them, but in keeping the breach a secret. That mistake has cost its chief security officer, Joe Sullivan his job, as well as the job of one of his subordinates. And it’s going to cause significant damage to Uber’s already shaky reputation – much more so than if they’re come out with this information when it was first uncovered.
Secrecy is never the right approach when your clients are at risk. Having cybersecurity measures in place to prevent data breaches, and handle the situation efficiently and responsibly should the worst happen is the smartest and safest option.
Learn more about the Uber data breach and read Mark’s full comments on the SF Chronicle’s website.
Want to learn more about the options available to help you protect your business from data breaches and other forms of cybercrime? Contact Intivix at firstname.lastname@example.org or (415) 543 1033 . We’re the cybersecurity professionals businesses in the Bay Area trust.