What to Learn from Uber’s Recently Disclosed Data Security Breach
Drivers, riders and regulators alike have questioned Uber for staying silent after the hack. It’s clear that Uber’s data security breach should have been handled a lot differently. Follow along as we examine what happened and how to learn from their mistakes.
The Security Breach
In 2016, ride-sharing company Uber apparently learned that hackers had accessed and captured the personal information of about 57 million of its customers and drivers. And that wasn’t the bad news. Now the world has learned that Uber then paid $100,000 to the hackers as a ransom so the hackers would destroy the data without publicly revealing the breach. And perhaps worst of all – that 2016 breach of the personal data of some 57 million customers and drivers – was just disclosed by the company after all this time. This is not how your company wants to handle any such incidents.
The revelations, which were finally disclosed by the company Nov. 21, led to the firing of Uber’s security officer, Joe Sullivan, and have left the company in a tailspin as it tried to explain its actions to consumers, its drivers and others, according to a story in The New York Times.
“The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private,” the Times reported. The hackers stole mobile phone numbers, email addresses and names of Uber drivers and customers from a third-party server and then demanded $100,000 to delete their copy of the data, the sources told the paper.
Incredibly, Uber did as they were told by the hackers and then “pushed them to sign nondisclosure agreements” so the attack and the aftermath would remain a secret, the story continued. “To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty’ — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.”
All of this remained a secret until Nov. 21. That’s more than year. That’s not good behavior when a company suffers a data security breach of any size. In a Nov. 21 Uber blog post by Dara Khosrowshahi, the CEO of the ride-sharing company, reiterated the reported details of the incidents and said he is working to get to the bottom of the matter.
“None of this should have happened, and I will not make excuses for it,” wrote Khosrowshahi. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Khosrowshahi said she recently learned about the breach, which while capturing large amounts of customer and driver data, did not breach Uber’s corporate systems or infrastructure. “Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” wrote Khosrowshahi.
“As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of,” he wrote. “For that to happen, we have to be honest and transparent as we work to repair our past mistakes.”
What to Learn
Khosrowshahi wrote that after recently learning of the breach and ransom he ordered an immediate and thorough internal investigation into what happened and how the company handled the incidents. The company’s failure to notify affected individuals about the incidents prompted him to take several actions, including bringing in Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help the company guide and structure its security teams and processes going forward.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Khosrowshahi wrote. The full story behind the Uber data breach and ransom follow-up is still unfolding, but a lot can be learned from the incidents.
First, enterprise IT security systems must be as strong and redundant as possible to protect critical corporate information and personal customer data at all times. Next, when a breach does occur, companies must quickly and efficiently notify all affected customers, partners, regulatory agencies and others so that full disclosure is provided as a matter of trust and honor.
Yes, breaches do and can happen, despite the best efforts of corporate IT and security teams. These are the threats that keep IT security workers up at night and corporate leaders sweating and praying that they don’t see their company’s name in the headlines the next day. The Uber breach is only the most recent incident in what has been a maddening pattern of IT security breaches affecting millions of users in recent years.
But companies must respond in more open ways to such incidents to maintain the trust and continued business of customers. That’s the key lesson to be learned from Uber’s horrible day on Nov. 21. You don’t want to see your company go through a similar public grilling. Keep that in mind the next time you think your company’s IT security is good enough.
Key Lessons in Summary
- Implement strong and redundant IT security systems for your virtualized environments. Had the hackers targeted and cracked Uber’s corporate systems or infrastructure, the damage could have been far worse.
- Insist that third-parties you work with implement the same level of security standards. If not, you should think about moving your employee or customer data to your own servers where you can provide multilayered protection.
- Be honest. Had Uber admitted to the breach in the first place AND moved quickly, and efficiency to remedy the situation, the damage to their reputation could have been far less.