Uber and the Hidden Breach

3 minute read.

Breaking news last week unveiled that Uber Technologies Inc, the global transportation technology company, hid a huge data breach from customers, employees and the authorities. The story was uncovered more than a year after the breach.

Hackers stole personal data of over 57 million customers and drivers in October 2016, uncovering names, email addresses and phone numbers. Uber claims no social security numbers, credit card information, trip details or other details were taken.

Amid other global news stories and their tumbling reputation, Uber’s chief security officer and a deputy were removed from their roles following allegations that they played a part in keeping the attack under wraps – including allegedly paying $100,000 to the attackers. It is thought many top-level management in the organisation were aware of the breach, including the CEO.

Yet nobody reported it. Instead, Uber paid hackers to delete the data and keep the breach quiet. They claim the stolen personal data was never used.

Given that Uber is a global company, it is likely that UK citizens were among the 57 million customers and drivers whose personal data was stolen. The Information Commissioner’s Office (ICO) released a strongly worded statement explaining that they will be working with the National Cyber Security Centre to establish whether this was the case and what steps need to be made by the company to eradicate any further risks.

Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.

With the General Data Protection Regulation coming into force in May 2018, in the case of a serious personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, report it to the ICO.

The ICO statement continued: “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”

Since the breach, the company has made steps to make data even more secure and strengthen controls on their cloud-based storage systems. They have hired a former National Security Agency general counsel as an advisor to assist in the restructure of security teams and hired a reputable cybersecurity firm to investigate the hack and provide an incident response service. But it’s too little too late for those who had their data stolen.

As the company is based out of San Francisco, it will be the task of the New York Attorney General to decide on a suitable fine for the company. In January 2016 Uber was fined $20,000 for not disclosing an earlier breach in 2014.

Organisations need to work closely with their IT support to make sure they have robust, appropriate technical measures in place to protect the personal data they hold.

BLS/Stay Compliant can help you develop or update your breach notification procedures, policies and response plans and we conduct specific training in how to prevent data breaches.

Give us a call on 01274 562630 to see how we can help you prevent such breaches of personal data. Get in touch, we can help.