Uber’s attempts to cover-up a data hack that exposed 57 million customers and drivers is just the latest example of the importance of GDPR. Uber is not the first and will not be the last company to attempt to sweep a hack under the carpet. But that doesn’t make it right.
Sophos principal research scientist Chester Wisniewski points out that this type of cover-up is exactly why GDPR is coming into force. “Uber’s breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories,” he said. “I would say it feels like I have watched this movie before, but usually organizations aren’t caught while actively involved in a cover-up. Putting the drama aside and the potential impacts from the upcoming GDPR enforcement, this is just another development team with poor security practices that has shared credentials. Sadly, this is common more often than not in agile development environments.”
James Lyne, Sophos cyber security advisor added: “Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack. Not notifying consumers puts them at greater risk of being victimized with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
The breach took place in 2016 and in an attempt to cover their tracks, Uber paid some £75,000 to hackers to delete the data that they had stolen. The company’s former chief executive Travis Kalanick knew about the breach over a year ago, according to Bloomberg, which first broke the news.
Uber’s official line is that ‘none of this should have happened’. CEO Dara Khosrowshahi said: "While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection. None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Dean Armstrong QC, Cyber Law Barrister at Setfords Solicitors explains how this would not be allowed to happen once GDPR has come into force. He said: "The General Data Protection Rules (GDPR) coming into play in the UK and Europe next year are designed specifically to deal with such occurrences – under these Uber would have had to notify the regulator within 72 hours of being aware of the hack (not the year or so in this case), and assuming the regulator found them in breach of the regulations they would have to pay a fine of 4 per cent of global annual turnover, or 20 million euros, whichever is higher. As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions. The greater cost to Uber however would, and will be in terms of reputation, which although harder to quantify than a fine could far outstrip any penalty handed to them by a regulator. The UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event.”
In the wake of the news, Uber’s chief security officer Joe Sullivan has left the company.