A covered up security breach from 2016 is causing more controversy for the ride sharing company, Uber.
Uber, at this point, has a long history of swimming in hot water.
The car summoning service has weathered controversies that involve taxi driver protests, underpaid drivers, a work culture steeped in toxicity, using software to evade regulators, a lawsuit over stolen Google technology, surge pricing scandals, sexual harassment scandals, and a belligerent CEO. The company even spied on Beyoncé.
But the latest Uber gaffe involves a massive global data breach and subsequent cover-up. The sensitive personal information of 57 million customers and drivers, which was stored on third-party cloud-based services, was compromised back in October 2016. Uber waited until this week to admit to the existence of the security breach. It has failed to notify regulators, or the data subjects involved when the breach was first discovered.
If that’s not enough, Uber tried to cover up the breach by paying the hackers $100,000 to delete the downloaded data, which includes the names, email addresses, and mobile phone numbers of customers, and the license numbers of nearly 600,000 Uber drivers in the United States. The company says no credit card numbers, dates of birth, location histories, or Social Security numbers were stolen in the hack.
Since the attack, Uber representatives insist it has implemented new security measures and strengthened the access to and controls of its cloud-based storage accounts. But that hasn’t stopped customers from filing lawsuits against the company. There’s also an investigation into the attack led by New York Attorney General Eric T. Schneiderman, whose NYCRR500 cyber security regulations are set to kick in next year.
The NYCRR500 requires financial services companies in New York City, and the third-party services that handle subject data, to have full-fledged cybersecurity programs installed to prevent breaches. In the case of a breach, organizations must notify regulators and data subjects at the risk of steep fines or loss of license to operate. Uber got lucky that the security breach happened before this regulation went into effect.
If the breach had occurred after May of 2018, when the European Union’s General Data Protection Regulation (GDPR) is set to take effect, the ride sharing company would have had to pay up to four percent of its global annual revenue for failing to protect the data, failing to notify regulators, and failing to notify its customers in a timely manner. It’s unclear how many of Uber’s customers in the EU were affected by the hack, but the GDPR doesn’t just affect the UK or surrounding nations—its reach is global.
Just as Uber has become infamous for its controversies, the GDPR has become well known for its promise to impose steep penalties upon companies that fail to protect the private data of customers and employees. The financial consequences are meant to force businesses and other organizations to care more about the protection of customer and client private data. It’s up to companies like Uber to protect that data, but it has become increasingly clear there’s still a long way to go to ensuring full data protection.
This Uber case shows once again that it is important to additionally protect sensitive data in the cloud, especially when third party data processors are involved. An additional layer of protection such as eperi Cloud Data Protection would have encrypted, or pseudonymized, the personally identifiable information of every data subject, rendering it meaningless if compromised. Malicious attackers wouldn’t have been able to do anything with the stolen information.