The Uber hack is another notch in what has been a troublesome couple of months for the transportation technology company, Uber, after they had their license removed in London over failure to report and protect customers from sexual assault and the constant critiques on workplace culture and conditions.
However, it was revealed on the 21st November that Uber covered up a data breach affecting 57 million customers and Uber’s own drivers, with the ride sharing-firm paying £75,000 ($100,000) to the hackers with the promise that they would delete the personal data that they stole.
Included in this breach are the names, addresses and telephone numbers of 57 million customers as well as the names of license plate details of 600,000 Uber drivers.
Uber’s CEO, Dara Khosrowshahi, stressed in the company’s response to this revelation that their outside forensics experts “have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”
The Uber hack is another example of misguided security practices and a lack of care for customer data. Yet despite the reputation that Uber is gaining with recent scandals, what will make this breach leave a lasting impression on the general public, in particular, is the manner in which the organisation acted post-breach.
Let’s see what went wrong and what can you learn from it…
Bob’s Business is passionate about removing the stigma when it comes to reporting data breaches. We believe that you need to be showing to do the right things post-breach because your organisation must care for your customers.
When GDPR becomes law on 25th May 2018, reporting within 72 hours of a breach notification will become mandatory, but for now there is no law that means organisations have to report any stolen data.
Uber’s cover-up will leave a bitter taste in the mouth of their users. The company first became aware of the breach in October 2016, yet a year later the public are only now being notified.
Similar to that of the Yahoo data breach, which was covered up for a number of years. The reputation of Uber will decline rapidly, especially with such personal data stored in their cloud storages such as location history and bank account numbers. Customers will see this as a breakdown of trust which will see many reaching for their smartphones to delete their accounts.
What Uber should have done is to report the breach as soon as they were made aware of the occurrence, release a statement to make those who are affected aware of the data that has been stolen and that they are doing everything they can to rectify the situation. What this would have done is allowed Uber to minimise potential brand damage among their customers.
Paying the Hackers
One of the biggest red flags in the Infosecurity industry is paying cyber criminals or hackers off to retrieve data. You would be pushed to find an individual who would argue that you should spend money to regain control of your systems or your data in the event of the breach.
Yet despite this, in a study conducted by IBM, 70% pay the ransom when faced with ransomware. While Uber’s data hack didn’t involve ransomware, it proves that there is a massive miscommunication problem when it comes to paying hackers.
Uber paid the duo who gained access to their Amazon web server and downloaded personal information £75,000 with the intention that they would delete everything they had.
Normally how this works with ransomware is that the hackers ask the victim for payment to regain control of their computer. If the individual or organisation pays the lump sum, it is not guaranteed they will regain control of their data or device.
In this case, Uber paying the hackers to destroy any data they downloaded is not recommended either. While in Uber’s statement they express they have made assurances to make sure that the hackers no longer possessed any data, you can never be 100% sure of this. The hackers have their money which keeps them quiet for now, but it doesn’t mean they still don’t possess anything.
What can you learn from this?
Every organisation must look at high profile data leaks such as Uber’s and learn from their mistakes.
Here are some quick tips that will benefit your organisation right now:
- Implement training throughout your organisation – our solutions are perfect for end users to raise awareness on common security protocols to minimise data breaches
- Empower your staff – make security an organisational issue, not just an IT one. Communicate with other departments and ensure they understand the importance of cyber security in their role
- Gain the Cyber Essential Accreditation – this will help minimise common cyber security threats and prove to your customers that you treat their data with care. Check out our module for assistance
- Ensure you have well thought out policy and procedures – make sure that all your staff follow them and are aware of them
- Be transparent – if you do become a victim of a data breach, then report the breach immediately and be as clear as possible with your customers
If you feel you have been affected by this data breach, please visit Uber’s resource page for assistance.