Here’s another reported data breach. This one doesn’t have a happy ending. Uber Technologies Inc., the owner of the nifty app that allows individuals to make a side income driving around clients, has reported a massive data breach. The data breach has reportedly exposed the data of more than 57 million accounts of the company, but that’s not the tough news. Uber did two things wrong: (1) They paid hackers $100,000 to keep the data breach secret and delete the data. (2) It took them a year to disclose the breach.
“None of this should have happened, and I will not make excuses for it,” Uber chief executive Dara Khosrowshahi acknowledged in a statement.
As new information unfolds, we learn the story behind the Uber data breach. The company confirmed that two hackers gained access to important information stored on GitHub, a service that allows engineers to collaborate on software code. From here the hackers were able to gain access to sensitive information such as names, email address and mobile phone numbers of individuals from around the world, and even the names and license plate numbers of drivers.
This isn’t the first time a data breach with Uber has occurred. The company is still recovering from a data breach by hackers in 2014 that caused much controversy and conversation on how startups should be protecting customer data. Since then, Uber has reportedly been “cleaning up their act” so to say, but the latest silence and announcement of this most recent data breach is deterring many customers.
As the criminals were paid the ransom, Uber’s CEO confirms that the stolen information was deleted successfully, and it’s not floating around on the dark web. This didn’t stop Uber executives of making an example of two employees directly linked to the undercover data breach. This ultimately lead to the stepping down of Uber chief security officer Joe Sullivan.
As mentioned, Uber made two drastic mistakes when addressing this data breach. First, they paid the hackers to keep the data breach quiet and delete the information. Where in this case it seems to have worked, relying on malicious criminals to either return your stolen data or delete it after ransom payment is an immature mistake. This is one of the easiest ways to keep encouraging these criminals to continue their criminal endeavours. Second, they hid the breach from customers and didn’t disclose quickly. As they’re quickly learning, this is one of the quickest ways to lose customers and destroy a brand image. An Uber driver in Pittsburgh, USA stated:
“The hack and the cover up is typical Uber only caring about themselves.”
This gives you insight into how not disclosing early enough, quickly and credibly can cause lasting damage to your company. Due to these faults, Uber will be facing financial fines, lost customers, a degraded brand image and lost revenue.
Where honesty and openness is Uber’s greatest redemption, the company could’ve underwent many tactics that would’ve prevented such a drastic media plunder. They might’ve thought to create an ‘Incident Response Plan’ to be actively thinking on how to deal with a situation quickly. They could’ve actively monitored their system through user analytics and monitoring to understand when the data was stolen and “alerted”, maybe even prevented before it was taken. Finally, security awareness training is turning your employees into your best defense against data breaches. Train them on what to look for, and they’ll be your first line of defense.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
How to Create an Insider Incident Response Plan
Why Data Breach Lag Time Matters
The Rise of Threat Hunting
3 Things Deloitte Could’ve Done Better (and small businesses can learn from)
Disqus Data Breach: 17.5 Million Exposed, Shows Rapid Response