Accessibility Links

Uber data breach cover-up could land firm in hot water

24 / 11 / 2017
Uber has had a challenging few months in the UK, with the ride-hailing business told it cannot operate in London following public safety and security issues.

An appeal is underway, but Uber is facing greater problems than its London woes after news broke that a major data breach occurred at the firm in October 2016.

This would be troubling news anyway, particularly as 57 million customers and drivers worldwide are thought to be affected. However, Uber has also admitted covering up the breach, despite mandatory notification legislation existing in multiple jurisdictions where the firm operates.

How did the cover-up occur?

The company admitted paying hackers $100,000 (£75,000) to delete the stolen data and remain quiet about the attack. According to Bloomberg, former chief executive Travis Kalanick has known about the incident for approximately a year.

Uber only announced news of the breach on Tuesday (November 21st), revealing that customer names, email addresses and mobile phone numbers were exposed, as well as driver names and licence details.

Since the revelations, media outlets have reported that chief security officer Joe Sullivan and one of his subordinates have left the company.

"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Uber's chief executive Dara Khosrowshahi stated.

"None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

The CEO's comments may fall on deaf ears, however, as Uber already has form for failing to inform authorities about data breaches. The company was fined $20,000 in January for a far smaller data breach that occurred three years ago.

Mandatory data breach regulations and the GDPR

Many countries have regulations requiring businesses to inform authorities within a specific timeframe if they suffer an eligible data breach. In the UK, enterprises are expected to notify the Information Commissioner's Office (ICO), which can fine businesses up to £500,000 for serious breaches of the Data Protection Act.

But Uber could face significantly higher penalties if such a breach happens after the General Data Protection Regulation (GDPR) is introduced in May 2018.

GDPR penalties for serious data breaches are either a €20 million (£17.8 million) fine or four per cent of an organisation's annual revenue, whichever is largest. Uber recorded $6.5 billion turnover in 2016, according to Bloomberg, although its expansion drive meant the firm actually lost $2.8 billion overall.

Theoretically, the company could be hit with a $260 million fine if the four per cent of revenue penalty was applied to the $6.5 billion turnover figure.

Dean Armstrong, cyber law barrister at Setfords Solicitors, gave a more cautious estimate to Haymarket Media Group, but emphasised the importance of notifying authorities within the time limit.

"Uber would have had to notify the regulator within 72 hours of being aware of the hack - not the year or so in this case," he stated.

"As Uber hasn't released [official] figures, we can't speculate as to the potential final cost of the fine, but it is fair to say the regulator would come down hard, and under the regulations, it would likely be in the tens of millions."

UK condemns data breach deception

Meanwhile, the UK government has already expressed its concern over the Uber breach, confirming that both domestic and international cyber security agencies will be working together to investigate the effect on Brits.

Prime minister Theresa May's official spokesman said there is no indication that financial details were compromised. However, he added that Uber did not inform any UK regulators when the breach happened.  

James Dipple-Johnstone, ICO deputy commissioner, said Uber could face higher fines due to the deception.

"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics," he explained.

"If UK citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

Uber is taking several measures to improve cyber security at the firm in light of the breach, including:
  • Restructuring and guiding security teams;
  • Individually notifying affected drivers;
  • Providing free credit monitoring and identity theft services for drivers; and
  • Flagging affected customer accounts for fraud and misuse.
Only time will tell if these measures prove enough to overcome the financial and reputational damage that high-profile data breaches can cause.

However, many large organisations will no doubt learn their own lessons from how Uber handled the incident, particularly as they prepare for more stringent data regulations from the GDPR.

Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.

Image: NicolasMcComber via iStockADNFCR-1684-ID-801842395-ADNFCR