Uber has done it again! In 2014 Uber failed to declare a data breach for which they were fined. That lesser breach pales in comparison with the recent one that ‘once again’ they had failed to disclose at the time. Uber concealed the October 2016 breach that has affected 57 million customers and drivers and instead paid $100000 (£75000) to the hackers in exchange for deleting the data and keeping the breach quiet.
This most recent data breach, hidden by the ride-sharing firm, included vast quantities of personal data from driver and customer accounts globally: names, email addresses as well as mobile phone numbers.
It has been suggested that the breach is a result of hackers obtaining login credentials to access the data stored on Uber’s Amazon Web Services account. The data was not encrypted. This is not acceptable. It seems as if Uber did not even try to take precautionary measures to secure their data- a massive mistake from a security perspective.
Uber have stated that they do not believe any individual rider needs to take any action and that they have seen no evidence of fraud or misuse tied to the incident. Also, that they are monitoring the affected accounts and have flagged them for additional fraud protection.
Uber are facing customer law suites and Data Protection Commissioners across the globe are pursuing the breach.
Many Jurisdictions have penalties if a company is found to be in breach of data protection laws. Australia could fine up to 420000 Australian dollars and Singapore up to 1000000 Singapore dollars (an excess of $740000) for such a breach. The U.K.’s Information Commissioner’s Office (ICO) have announced that Uber could face a penalty of up to £500000 ($661,900).
Uber dismissed Chief Security Officer Joe Sullivan for his role and CEO Dara Khosrowshahi, who wasn’t with Uber when the hack occurred, said “none of this should have happened, and I will not make excuses for it.” He continued “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Monetary and reputational consequences of this breach may finally pressure Uber to take their data security more seriously and properly secure and manage the data that they collect, process and store of their employees and customers. Robust data security must be prioritised to avoid a situation like this.