Uber's attempt to hide a data breach which saw the personal details of 57 million users stolen was "mind-blowing" and inexcusable, a data encryption expert has said.
The criticism comes hours after Uber admitted to a 2016 data breach which saw the theft by hackers of 57 million names, email addresses and mobile phone numbers of customers and drivers. Included in the data were 600,000 driver names and licence details.
Drivers have been offered free credit monitoring protection, but Uber customers will not be offered the same protection against identity theft.
Former chief executive Travis Kalanick knew about the data breach a year ago, Bloomberg reports, and under his reign Uber gave the hackers $100,000 to have the stolen data deleted. Uber's chief security officer Joe Sullivan has left the company in light of the report.
In a statement emailed to GearBrain, Dan Panesar, VP EMEA at Certes Networks, an encryption specialist, said: "Uber may be the latest in a long line of big names to hit the headlines in the wake of serious data breaches, however it is the handling of the attack that is the biggest cause for concern. The lengths gone to by the executive team to conceal the loss of personal data from staff and customers is mind-blowing, and there simply isn't a place or excuse for it."
A massive error of judgement by the C-suite
Panesar continued: "Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage – a massive error of judgement. The reality is that customer distrust of the brand will be amplified by the company's attempts to hide the facts from them and points to the need for change in the industry."
Dr. Jamie Graves, CEO of ZoneFox, a data protection company, said in a statement emailed to GearBrain: "The most disturbing aspect of the Uber case is that they paid money to those responsible to destroy the data. As we have seen in numerous other cases, these gangs are the last group of people to be trusted...how do we know all of the data has been deleted? And how do we know that some accounts weren't 'cherry-picked' for belonging to high-net users and then sold to the highest bidder? Uber CEO Dara Khosrowshahi wants to 'change the way they do business' - a thorough and immediate independent investigation into this attack would be a good place to start."
The timing of the disclosure of Uber's loss of data is interesting. In May 2018 the General Data Protection Rules (GDPR) come into power in the UK and Europe, forcing companies to notify regulators within 72 hours of discovering they are the victim of a cyberattack. If found to be in breach of these laws, as Uber would have been in this case, companies will be required to pay a fine of 4 percent of global annual turnover, or €20m ($23.5m), whichever is larger.
Playing a risky game
Although this hack happened in the US, the new rules will still apply if any Uber customers affected by the data breach were European Union citizens
On this topic, Dean Armstrong QC, Cyber Law Barrister at Setfords Solicitors, London, said in a statement emailed to GearBrain: "Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organizations. In the UK and EU there has been a huge shift in thinking towards this issue and in May 2018 new regulations come into force that would see such behaviour heavily punished."
Uber CEO Dara Khosrowshahi said in a statement: "As Uber's CEO, it's my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.
"I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
"Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:
- The names and driver's license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
- Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts…
"None of this should have happened, and I will not make excuses for it. While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."