News / The art of withholding data breach news as showcased by Uber
The art of withholding data breach news as showcased by Uber
22 November 2017 |
Data breaches are in the news more often and increasingly ones that relate to a huge number of consumers... Be it the infamous Yahoo! breach, Equifax hack or the CEX one that compromised details of upwards of 2 million UK customers, or even the 'flavour of the day' Uber breach.
However, there is a closer relation between the breaches mentioned above... The companies that had been breached did not let their customers know about them in the first instance.
While Equifax waited more than a month before it let its stakeholders and customers know, Uber went one step further. They hushed up news of the October 2016 breach affecting 57million customers & drivers, paying off hackers and keeping the whole sorry tale under wraps, for it to finally break in November 2017...
Turns out Uber withheld information about the breach that affected upto 57 million users and drivers and paid the hackers $100,000 hush money. While this is bound to have Uber's name trending for days for all the wrong reasons, withholding information for almost a year from those who have been affected by its data breach is a different issue altogether... verging on the unethical.
Uber has been hounded by controversy after controversy: be it sexual harassment scandals or getting its license revoked by London for shirking from its corporate responsibility. So for it to be quite so brazen about the event is almost mind-boggling.
“None of this should have happened, and I will not make excuses for it,” said Dara Khosrowshahi, Chief Executive Officer, Uber in an emailed statement to Bloomberg. “We are changing the way we do business.”
Travis Kalanick, Uber’s co-founder and then-CEO had found out about the hack in November 2016. This was just after Uber had settled a lawsuit with the New York attorney general over data security disclosures and was negotiating with the Federal Trade Commission over the handling of consumer data, so while its reluctance over making news of the breach public is understandable, it was the wrong thing to do.
As expected, heads have now rolled at the ride-hailing company with its CISO Joe Sullivan and his associates departing under a cloud but the episode does not bode well for the company's public persona. Matt Walmsley, EMEA director at Vectra said: “Organisations recognise that there is a need to prioritise the protection of citizen’s personal data through disclosure, but can be reluctant due to the impact a confession will have on their reputation and market value. The disclosure of the Yahoo! data breach took a similar journey, for the same reason.
“This Uber breach of trust has rattled the regulators. The ICO has signalled its intention to investigate the actions of Uber and its data protection practices. However, the impact is unlikely to stop there. All eyes will be on how Softbank reacts to the news and if its planned investment moves forward unaffected.”
Results of a flash survey by Egress Technology, of 500 UK adults on the morning of Wednesday 22nd November would have made for difficult reading at Uber's headquarters:
- Having been made aware of the fact that Uber tried to cover up the breach, more than half (53%) of respondents said it made them want to stop using the taxi app
- When asked what measures they would take to protect their data following the breach, more than half (52%) said they would either delete the app or would start using another, similar service, while a third (33%) said they would take the sensible step of changing their passwords
- However, more than a fifth (21%) of respondents felt that such incidents probably happen all the time and so Uber's situation doesn't bother them and over a quarter (27%) felt it was annoying but wouldn’t stop them using the service
It remains unclear what businesses hope to achieve by withholding crucial information from customers. This is because even though attackers were only able to obtain basic personal data and no sensitive information such as location data or credit card numbers, this information can still be used by cyber criminals for identity theft purposes, which can ruin a person's credit rating.
If a breach of this magnitude had taken place at Uber after GDPR had come into effect in May 2018, the company would have expected to cough up an eye-watering $800 million in fines.
Chris Ross, SVP International at Barracuda Networks said: "As the biggest cyber threat to businesses, ransomware attacks are becoming ever more widespread. While it’s not been confirmed that Uber did pay the attackers, we always advise against paying ransoms. Even if you do pay up, there is no guarantee you’ll get your data back or that the attackers will delete your data, as we’re increasingly seeing cyber criminals take the money and run"
So we have Uber's word that the stolen information that hackers took has been deleted. However, with them withholding information for so long, as a customer, I would take their words with a pinch of salt, as should others.
After all, the stolen details of 57 million customers and drivers could end up being the gift that keeps on giving for the hackers.
Latest posts by Sunetra Chakravarti (see all)
- Data breaches reach all-time high as new environments create more attack surfaces - 7th February 2018
- Petya, NotPetya, Good Rabbit, Bad Rabbit… the rise of ransomware - 2nd February 2018
- Pharmaceutical industry and GDPR: What to do next - 31st January 2018
- TEISS2018: On the internet, nobody knows you are a fridge - 30th January 2018
- Why does a privilege account breach translate to ‘game over’ for a business? - 26th January 2018