2017 is unlikely to feature highly in a list of Uber’s favourite years, as the embattled/beleaguered/troubled [delete as appropriate] company faces a whole new scandal.
Following the sexual harassment allegations which led to founder and CEO Travis Kalnick stepping down, the ongoing allegations of sexual assaults by drivers, the court cases over unfair working practices and the removal of its operators licence in London, the company can now look forward to some long, intense discussions with data regulators worldwide.
A statement on the Uber website admits the company suffered a massive data breach in 2016 in which hackers stole details of 57,000,000 users (including 600,000 Uber drivers) worldwide. So far, so 2017, you might think, but this being Uber, the company decided to up the ante, but paying the hackers off to delete the data and keep quiet about the whole hack.
According to Bloomberg, the company then paid the hackers $100,000 to quietly delete the data and keep their mouths shut. Clever, maybe, effective, sort of, but not exactly the sort of best practice which will win the company any new friends in the world’s data regulators or watchdogs.
New CEO Dara Khosrowshahi, who must be questioning his remuneration right about now, said: “You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber Takes Action
Joe Sullivan, Uber’s chief security officer, and Craig Clark, a lawyer in his team, have been fired because of their handling of the incident, reports Bloomberg.
Following these latest revelations, Uber is now offering drivers free credit monitoring and identity theft protection,. The company has said that users don’t need to take any action and that it monitoring the affected accounts for any fraudulent activity. However, in the statement about the incident on the company’s website, Uber says: ‘We encourage all our users to regularly monitor their credit and accounts, including their Uber account, for any issues.’
In his statement, Khosrowshahi, says the company is notifying the relevant authorities.
Why GDPR Matters
Dr Jamie Graves, the CEO of ZoneFox, told DIGIT: “The Uber hack is precisely why GDPR is coming into force. Time and time again we’ve seen significant data breaches, which will have serious implications for those whose data was involved, dismissed or covered up by major organisations.
“The incoming legislation that requires organisations to investigate and inform victims of a breach within 72 hours will at least give those affected a chance to get ahead of the criminal gangs that have their sensitive data.
“However, the most disturbing aspect of the Uber case is that they paid money to those responsible to destroy the data. As we have seen in numerous other cases, these gangs are the last group of people to be trusted. For example, ransomware distribution groups often will not decrypt the data they have locked away after receiving payment.
“So how do we know all of the data has been deleted? And how do we know that some accounts weren’t ‘cherry-picked’ for belonging to high-net users and then sold to the highest bidder? Uber CEO Dara Khosrowshahi wants to ‘change the way they do business’ – a thorough and immediate independent investigation into this attack would be a good place to start.”