Uber app

How Not to Handle a Data Breach: Lessons from Uber

Cybersecurity dominates headlines again this week with the news that ride-sharing business Uber was hacked last year, losing the details of of 57 million customers globally.

The breach included names, email addresses and phone numbers, and included seven million drivers, whose license numbers were also taken.

The news was compounded by the revelation that Uber paid the hackers £75,000 ($100,000) to delete the data and conceal the breach from both customers and the media.

The situation is developing but Chief Security Officer Joe Sullivan and another exec have already been ousted, and legal ramifications are mounting, as New York Attorney General Eric Schneiderman has launched an investigation into the hack and a class action lawsuit on behalf of the customers has already been filed.

In the UK, the Information Commissioner’s Office stated it would be working with the National Cyber Security Centre (NCSC) and other relevant authorities to determine the impact on Uber customers in the UK, and that the incident “raises huge concerns around its (Uber’s) data protection policies and ethics.”

Can This Happen to My Business?

Data protection is becoming more and more pressing.

General Data Regulation Protection (GDPR), a new set of data protection legislation coming into force in the UK from next May is putting organisations under pressure to review their data processing practices.

Large-scale breaches of this nature demonstrate the potential legal and financial penalties of failing to protect the systems and processes handling their customer data.

 

Can I Prevent a Data Breach?

The reality is that any system can be compromised, and to claim otherwise would be irresponsible, but there are ways you can make your business less desirable to target.

  • Have a clear view of your systems and networks for visibility of any unusual activity or behaviour.
  • Keep systems up to date and install updates and patches as they are released.
  • Subscribe to developer groups or news updates on your core software as these often highlight issues that have been found previously.
  • Dependent on the size of your organisation, you may want to consider using the services of a white hat (ethical) hacker who can attempt to penetrate your systems, giving you valuable insight before someone with ulterior motives tries.
  • Monitor access and traffic to your systems to look for patterns or unexpected use, e.g. sudden spikes in traffic from specific IPs, and consider blocking these.
  • Consider how you store your data - encrypt sensitive data types to make it harder for a snatch and grab attack. Plain text storage allows quick copying of the information without any additional work to have to try and decode the data before it is usable.

Be open and honest - your customers will appreciate transparency. Communicate early and often, as the situation develops, and keep your communications focused on what you are doing to protect them.

What to Do If You Are Breached

If you are the victim of a hack, implement the following actions as soon as possible.

  • Identify the cause of the breach:
    • How did they get access to the system? Understand the issue, fix it or take the system offline until you can be certain that the weakness has been resolved.
    • What data have they managed to get access to?
    • Has anything been altered or deleted?
  • Collect logs for all the activity and make copies of them outside of the affected system.
  • Report the unauthorised access to the police and give them as much information and logs as you can.
  • Report the issue to the ICO. Whilst the regulatory body for data in the UK, they also have considerable resources to help businesses.

Crucially, you should consider informing your customers of the breach as soon as you have enough information to confirm who has been affected, and what your recovery plan is.

Be open and honest - your customers will appreciate transparency. Communicate early and often as the situation develops, and keep your communications focused on what you are doing to protect them.

 

What Did Uber Do Wrong?

Arguably, Uber’s handling of the situation is almost as damaging as the breach itself.

Choosing to conceal the breach from its customers and paying off the hackers is a very risky strategy.

Capitulating to hacker demands in any circumstance is largely ineffective. Aside from the ethical considerations, once your data has been compromised, any promises of data deletion are impossible to prove.

Deliberately covering the hack betrays the customer relationship in a way that is very difficult to recover from.

Whether Uber’s brand can recover from this remains to be seen.