Uber is to pay a fine of $148m and improve its data security as part of a legal settlement for attempting to cover up a data breach in 2016, which only came to light in 2017 when it emerged that 600,000 US drivers and 57 million user accounts had been affected, including an estimated 2.4 million in the UK.
In response to the revelations, the UK’s Information Commissioner’s Office (ICO) said the exposed information on its own was unlikely to pose a direct threat, but urged customers and drivers to be vigilant because the data could help make other scams, such as bogus emails or calls, appear more credible.
Uber particularly came under fire for paying hackers $100,000 through its bug bounty programme to delete the stolen data and keep quiet about the breach.
The settlement reached in a case brought by 50 US states and the District of Columbia will be divided among the states based on the number of drivers each has, and follows a $20,000 fine in January 2017 for failing to disclose a considerably less serious breach in 2014.
The latest settlement also requires Uber to comply with state consumer protection laws safeguarding personal information, notify authorities immediately of any future breaches, establish methods to protect customer data stored on third-party platforms and to create strong password protection policies, The Guardian reported.
“This is one of the most egregious cases we’ve ever seen in terms of notification. A year-long delay is just inexcusable,” Lisa Madigan, the Illinois attorney general, told the Associated Press. “And we’re not going to put up with companies – Uber or any other company – ignoring our laws that require notification of data breaches.”
Turning over a new leaf
Uber’s chief legal officer, Tony West, said the commitments in the settlement were in line with physical and digital safety improvements the company recently announced.
“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity and accountability. An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward,” he wrote in a blog post.
In recent months, Uber has been getting its privacy and data protection house in order in the wake of the damaging data breaches in 2016 and 2014, and in anticipation of the company’s planned stock market launch in 2019.
In July, the firm announced the appointment of former Intel chief privacy and security counsel Ruby Zefo as Uber’s first chief privacy officer, and TomTom vice-president of privacy security Simon Hania as Uber’s first data protection officer (DPO).
The company has also hired Matt Olsen, a former general counsel to the National Security Agency and the director of the National Counterterrorism Center, as chief trust and security officer.
Uber CEO Dara Khosrowshahi has made sweeping changes as he forges ahead with plans for the company’s initial public offering (IPO) in the next year.
Khosrowshahi, who was appointed as CEO after Uber’s co-founder and first CEO Travis Kalanick was ousted in 2017 amid accusations that the company’s work culture condoned sexual harassment and gender discrimination, has been tasked with reforming and stabilising the company, as well as improving transparency.
Lisa Madigan, Illinois attorney general
When news of the breach emerged in November 2017, Khosrowshahi released a statement saying he was not aware of the 2016 incident until “recently”, but Kalanick is believed to have known about the breach and the attempted cover-up.
Uber fine serves as warning to others
Reacting to news of the fine, Rob Shapland, principle cyber security consultant at Falanx Group, said it showed that companies could no longer get away with poor cyber security and the temptation to sweep incidents under the carpet.
“I would expect many companies will have tried to hide the fact that they’ve been breached, especially given the size of the potential fines. This case, and the punishment for Uber for not revealing that the breach had occurred, will hopefully give companies further warning of the risks posed by cyber attacks, so that they take the security of the data they hold more seriously.”
Tim Erlin, vice-president at Tripwire, said that while the settlement was directly related to the incident at Uber, its impact extended well beyond one company.
“A successful lawsuit with a meaningful financial impact reminds other organisations about the full range of cyber security risks. Financial settlement and fines are part of the risk equation when weighing out the costs and benefits of cyber security,” he said.
“There’s no doubt that the cover-up behaviour was impactful in how this settlement played out. It’s a good reminder to all organisations of how a good breach response plan can help avoid poor decision-making in the midst of an incident.”
Jake Moore, security specialist at ESET, said the fine should discourage other companies from attempting to cover up breaches in future.
“Companies realise that personal information such as phone numbers, addresses and credit card details can be stolen in seconds, but it takes years to rebuild that customer confidence, so trying to keep it quiet will be an idea by some senior ranked employees. However, this is inevitably the wrong thing to do, and Uber is surely being made an example of what not to do,” he said.
“Being open about customer data breaches at the earliest opportunity is not only ethically the right thing to do, but helps protect people from a multitude of other attacks which could follow as a result.”