Lessons Learned from Uber’s Data Breach
Uber, the ride sharing company, recently announced a massive data breach that occurred in 2016, but ignored notifying the victims. The breach occurred in October, 2016 and the then chief executive learned about the breach one month later, in November, 2016. The breach was not disclosed for over one year, until the new chief executive learned about it. In addition to ignoring state data breach notification laws, it seems Uber paid the cyber-criminal $100,000 to destroy the copy of the stolen data and had the hacker sign a non-disclosure agreement, in apparently an effort to cover up the data breach. An estimated 50 million customer records were stolen plus 7 million Uber driver records. Uber has also stated that close to 3 million of the records are customers located in Britain.
Forty-eight states have specific data breach notification laws with which companies must comply, if they have customers in that state. The two states without a data breach notification law are Alabama and South Dakota. Uber is now in the process of handling required notifications, a year after the data breach.
According to news sources, the hacker demanded payment for the data stolen. Uber then directed the request to the vendor that manages its bug bounty program which in turn paid the hacker $100,000. Bug bounty programs are a way businesses incent “good” hacking in an effort to identify potential vulnerabilities in software or applications. A vulnerability can then be fixed before a cyber-criminal uses it to steal data or perform other cyber-crimes. The maximum payment is usually around $10,000. Several cyber security specialists stated this is the first time they have heard of a bug bounty program used to pay ransom to a hacker.
Uber is learning there are many consequences of its past actions on this data breach.
· Multiple states are either investigating potential violations or have filed lawsuits against Uber for failure to follow their data breach notification laws.
· The Federal Trade Commission might investigate whether Uber is in violation of its rule on breach disclosure. The FTC rule prohibits companies from destroying any forensic evidence in the course of an investigation.
· Foreign country laws may have been violated, since some of the data stolen was related to customers outside the United States. Some countries assess fines against companies that do not adhere to their laws.
· Several class action lawsuits have been filed.
With each new data breach publicized, there are take-aways that businesses can learn. Executives need to know:
· What is going on in their cybersecurity world. They are ultimately responsible to know what is going on in their company. Stated ignorance is not being accepted by regulators, customers or legislature members.
· What the data breach laws are for all geographies where they have customers. International laws in some cases are more stringent that some state laws. There is evidence that governmental entities, foreign and domestic, will file lawsuits against a business that did not follow their laws.
· A cover-up is most likely going to be worse that the actual data breach impacts.
Executives should make sure their company has a strong code of ethics and a method of safely disclosing cyber concerns. They should also ensure compensation plans of senior cybersecurity staff encourage communications on potential data breaches and not trying to hide incidents. Additionally, there should be a positive communications channel with the board of directors on cyber security. It is not whether, but rather when and how massive, a business will be hacked.
As with audits of financials, periodic outside review of practices and cyber security environment at your business needs to be conducted.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.