In the latest of a long line of corporate mistakes, the ride-hailing start-up Uber has revealed that the private data of around 57 million people was accessed in a cyber breach last year.
The data was accessed through a series of other security breaches. The hackers had initially obtained access details to Uber’s internal database via software development platform GitHub which was being used to develop the Uber app’s code. From there, hackers then accessed another cloud service that managed the app’s accounts[1].
To add further insult to injury, the hackers demanded money in exchange for the removal of their breach. Uber paid the ransom and the data remained intact. Further, Uber chose not to disclose the breach to its customers for over a year.
In the long term, the scandal will cost Uber dearly. Not only have they broken American federal law by choosing not to disclose the breach, Uber may potentially lose investment funds (as much as $10 billion) from a deal with a Japanese investment firm[2].
Uber already has a poor reputation as a business due to a toxic corporate culture, poor public relations (as per the Uber boycott during the New York Taxi strike in February 2017), sexual harassment claims, and now, poor customer communication.
A bad reputation isn’t just bad for business; it leads to security risks as well. This kind of poor corporate behaviour can lead to many frustrations for any security officer (such as Joe Sullivan former chief security officer for Uber who was ousted this week).
Aside from the aftermath of the data breach, other security issues to consider are:
- Monitoring all cloud-based services – this can be difficult, especially when cloud-based services are managed by other contracting companies;
- Risk of volatile customers/employees – these can come in the form of protests, boycotts, whistleblowing or outright physical aggression; and
- Policies not being followed – policies are not only written to have guidelines on how to carry out security protocols, they are legally binding as well. Failure to follow policy, protocol or even failure to make policies and protocols compliant can lead to severe legal repercussions.
- Complete transparency with regards to security – cloak and dagger security policies, such as dealing with problems and not disclosing them to key shareholders (in this case, the public in general) is very much frowned upon. In the US, states such as California failing to disclose cyber security breaches is illegal. California have amended their civil codes to oblige businesses to disclose any data breaches[3]. Likewise in February 2017, the Australian Government amended the Privacy Act by publishing the Notifiable Data Breaches Act 2017. Under this act it is an obligation to disclose any kind of data breach (with only a few rare exceptions)[4].
The world of cyber security is complicated, and people are afraid of data breaches in general. Uber’s failure to disclose the data breach (even though no data was lost) will have greater repercussions than if the data was simply stolen and reported as stolen. In this case, honesty is a form of security that keeps trust in your processes and services relatively safe.
For assistance in preparing for the Mandatory Data Breach Notification Act in Australia please do not hestiate to contact Agilient.
The Agilient Team
[1] https://www.smh.com.au/technology/technology-news/uber-concealed-cyberattack-that-exposed-57-million-peoples-data-20171121-gzqbjs.html
[2] https://www.reuters.com/article/us-uber-cyberattack/ubers-messy-data-breach-collides-with-launch-of-softbank-deal-idUSKBN1DM2F9
[3] https://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf