Uber has admitted that it suffered a data breach in 2016. Hackers gained access to the details of 57 million customers. Names, phone numbers and email addresses were included in the stolen data, along with driving license numbers of some 600,000 US drivers. In total, the hack affected some 50 million customers and seven million drivers.
That was bad enough. However, what followed was worse. Uber failed to report the breach to authorities or regulators. As so often is the case, the cover-up is worse than the crime. That may be a correct interpretation of the adage in this instance, especially because Uber confirmed it paid the hackers $100,000 to delete the data and keep the breach quiet. This murky development simply adds to the intrigue.
What makes Uber’s situation such a head-scratcher to industry observers is that it felt a need to conceal the breach. Chris Hoofnagle of the Berkeley Center for Law and Technology, described Uber's failure to disclose the breach as “amateur hour.” He commented,
“The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Nonetheless, Uber did. Why?
Perhaps the deceit was meant to deflect from its ineptitude in guarding its data. Two hackers are credited with obtaining login details in order to access data stored on Uber’s Amazon Web Services account. Paul Lipman, CEO of cybersecurity firm BullGuard, said that the fact that the data was being stored unencrypted was “unforgivable.” He added,
“That’s just a complete misstep from an information security viewpoint.”
Whatever its rationale, Uber has ignited a fire under government officials worldwide, who are expressing outrage at the breach and calling for explanations for the cover-up. A Federal Trade Commission spokesman said the agency is “closely evaluating the serious issues raised.” In Congress, Sen. Richard Blumenthal (D., Conn) said that the Senate Commerce Committee should convene to “demand Uber explain their outrageous breach-and inexplicable delay in informing its consumers and drivers.”
New York State’s attorney-general is also opening an investigation. New Mexico’s authorities are also posturing for one. Nor are the outcry and fallout limited to the US. Uber hasn’t yet disclosed a geographic breakdown of the compromised accounts. However, at least three European government agencies are looking into Uber’s handling of the breach. Piling in, too, is Britain’s Information Commissioner’s Office, which oversees data protection in the country.
Not to be left out in expressing dismay and outrage are the Italian and Dutch authorities. They've said they also planned to evaluate how Uber handled the data breach. Antonello Soro, the Italian Data Protection Authority’s president, stated,
“We are dismayed by the poor transparency shown towards users, which we intend to investigate.”
Meanwhile, the Philippines authorities gave Uber until 23 November to explain the breach and its clumsy cover-up.
The $68 billion ride-hailing giant is doing its best to show contrition. Chief Executive Dara Khosrowshahi, only three months at the helm and fighting a host of problems before this, made a statement regarding the breach and cover-up:
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
To remedy the crisis, the company said it will offer free credit monitoring for affected drivers and additional monitoring for fraud on the accounts of affected customers. This comes on the heels of the statement to the users of the service and the public-at-large that financial information such as credit cards and Social Security numbers weren’t taken. Uber said it identified the hackers and “obtained assurances” they had destroyed the stolen data. The company didn’t disclose who the hackers were or whether they were domestic or foreign, state actors or “citizen cybercriminals.”
The actions of the ride-hailing company after its egregious mistake may assuage some customers. Uber's actions don’t rise to the level of Yahoo’s years-long deception of just how massive its breach was, while trying to protect its stock price in anticipation of a higher buyout offer. The breach is small, also, in size and ramifications for customers when compared to the recent Equifax breach.
Nevertheless, Uber must be held accountable for not being forthcoming immediately about the breach. Authorities should make an example of Uber lest other firms try something similar (or worse) in the future. In today’s world, we may have come to expect security failures but we don’t have to tolerate corporate cover-ups which leave customers in the dark and at risk.
Opinions are the writer's own.