Cybersecurity dominates headlines again this week with the news that ride-sharing business Uber was hacked last year, losing the details of of 57 million customers globally.
The breach included names, email addresses and phone numbers, and included seven million drivers, whose license numbers were also taken.
The news was compounded by the revelation that Uber paid the hackers £75,000 ($100,000) to delete the data and conceal the breach from both customers and the media.
The situation is developing but Chief Security Officer Joe Sullivan and another exec have already been ousted, and legal ramifications are mounting, as New York Attorney General Eric Schneiderman has launched an investigation into the hack and a class action lawsuit on behalf of the customers has already been filed.
In the UK, the Information Commissioner’s Office stated it would be working with the National Cyber Security Centre (NCSC) and other relevant authorities to determine the impact on Uber customers in the UK, and that the incident “raises huge concerns around its (Uber’s) data protection policies and ethics.”
Data protection is becoming more and more pressing.
General Data Regulation Protection (GDPR), a new set of data protection legislation coming into force in the UK from next May is putting organisations under pressure to review their data processing practices.
Large-scale breaches of this nature demonstrate the potential legal and financial penalties of failing to protect the systems and processes handling their customer data.
The reality is that any system can be compromised, and to claim otherwise would be irresponsible, but there are ways you can make your business less desirable to target.
Be open and honest - your customers will appreciate transparency. Communicate early and often, as the situation develops, and keep your communications focused on what you are doing to protect them.
If you are the victim of a hack, implement the following actions as soon as possible.
Crucially, you should consider informing your customers of the breach as soon as you have enough information to confirm who has been affected, and what your recovery plan is.
Be open and honest - your customers will appreciate transparency. Communicate early and often as the situation develops, and keep your communications focused on what you are doing to protect them.
Arguably, Uber’s handling of the situation is almost as damaging as the breach itself.
Choosing to conceal the breach from its customers and paying off the hackers is a very risky strategy.
Capitulating to hacker demands in any circumstance is largely ineffective. Aside from the ethical considerations, once your data has been compromised, any promises of data deletion are impossible to prove.
Deliberately covering the hack betrays the customer relationship in a way that is very difficult to recover from.
Whether Uber’s brand can recover from this remains to be seen.