In a year where data breaches and large-scale hacks are making headlines, technology and taxi giant Uber is the latest victim. Okay that’s not strictly true, as the hack in question actually occurred in 2016, senior officials at the time however decided best to try and keep it a secret. A year on, in a written statement current CEO, Dara Khosrowshahi, has released details of the breach and stated that the company will be launching a full investigation into the event that took place in October 2016.
The breach in question is said to have affected 57 million customers and drivers worldwide, with 600,000 out of 7 million drivers affected being in the U.S. all of whom have had their driver’s license details stolen. For the 50 million customers affected, names, emails and phone numbers were taken but no credit card details or additional information. The uber-hack which was undertaken by 2 unnamed individuals utilised code held in Github that allowed access to the companies AWS storage systems, however corporate systems were not accessed.
Paying for a breach
Data breaches, downtime and hacks have the potential to cost companies millions and cyber-criminals have cashed in on this, the hackers behind the Uber attack included. In an attempt to keep the breach quiet, Uber paid the hackers a fee of $100,000 to delete the data and for them to sign non-disclosure agreements, hiding the payment as a ‘bug bounty’. This week the company fired their Chief Security Officer and one of his deputies for the part they played in the cover up.
This is not the first time the company has come under fire for failing to disclose a data breach. In 2014 the company was fined $20,000 for failing to disclose a breach, however that event was significantly smaller. For the new CEO, this breach couldn’t have come at a worse time but how the situation is now dealt with will say a lot about how he wants to move the company forwards having stated, “we are changing the way we do business”. It is largely thought that his role within the company will be to drive compliance and assure the company is meeting regulation standards in the markets it operates in.
“None of this should have happened, and I will not make excuses for it”
– Dara Khosrowshahi, CEO, Uber
Trouble in Europe
With this hack having affected customers across the globe it is likely that there will be multiple Data Regulation Authorities taking an interest including the Information Commissioner’s Office (ICO) in the UK. With the General Data Protection Regulation (GDPR) looming, it is likely that Uber will face a large fine from European regulators looking to set an example of the company, although this won’t be enforced with the full force of the GDPR. With the financial penalties under the GDPR the fine enforced could have been up to 4% of global revenue plus an additional 2% of global revenue for failing to report the breach in 72 hours. Uber’s reported 2016 revenues were $6.5 billion so at 6% the fine under the GDPR could have been $390 million. A hefty sum of money for a business heavily backed by investors and yet to make a hard profit amid speculation around how the company operates.
Uber already faces an uphill battle across Europe, where regulators have been battling with the company to ensure that it’s practices are strictly legal. The company has been banned from operating in London recently and is already banned country wide in Italy, Denmark, Bulgaria and Hungary. With GDPR set to put more focus on how personal (customer) data is protected, if Uber cannot demonstrate its compliance and security then it could see further bans put into place and be driven out of the European market all together.
James Dipple-Johnstone, ICO Deputy Commissioner has since issued a statement regarding the data breach. Part of the statement reads:
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.”