A major breach that happened in 2016 was covered up by Uber it has been revealed, with the firm paying hackers $100,000 (£75,000) to delete stolen data.
The hackers found 57 million names, email addresses and mobile phone numbers. According to Bloomberg who first published the news, within that number, 600,000 drivers had their names and licence details exposed.
“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Uber’s chief executive Dara Khosrowshahi comments.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
In the wake of the news, Uber’s chief security officer Joe Sullivan has left the company.
Uber did not confirm precise details of the hack – and it is not known which countries were affected – but according to Bloomberg’s report, two hackers were able to access a private area of Github, an online resource for developers. From there it is understood they found Uber’s log-in credentials to Amazon Web Services.
As is often the case, it will likely be the cover up that proves more bothersome for Uber than the hack itself. Uber has earned a reputation for skirting regulations in areas where it has operated since its founding in 2009.
As well has facing dozens of law suits, the US has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and theft of a competitor’s intellectual property. London and other governments have taken steps toward banning the service, due to what they say is ‘reckless’ behaviour by Uber.
Responding to the news, Dean Armstrong QC, cyber law barrister at Setfords Solicitors comments: “Uber has played a risky game here, not only concealing the hack but exacerbating the problem by paying off the hackers. This will simply encourage them further and result in more attempts to steal personal data from organisations.”
“In the UK and EU there has been a huge shift in thinking towards this issue and in May 2018 new regulations come into force that would see such behaviour heavily punished.”
“The General Data Protection Rules (GDPR) coming into play in the UK and Europe next year are designed specifically to deal with such occurrences – under these Uber would have had to notify the regulator within 72 hours of being aware of the hack (not the year or so in this case), and assuming the regulator found them in breach of the regulations they would have to pay a fine of 4% of global annual turnover, or 20 million Euros, whichever is higher.
“As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine but it is fair to say the regulator would come down hard and under the regulations it would likely be in the tens of millions. The greater cost to Uber however would, and will be in terms of reputation, which although harder to quantify than a fine, could far outstrip any penalty handed to them by a regulator. The UK and Europe are adopting stricter rules on personal data protection for precisely this kind of event.
“While the hack occurred in North America, the regulations will apply to any EU citizen’s data. Assuming that at least some of the 50 million records hacked were of EU citizens, then under the new rules GDPR would potentially see Uber punished under EU regulation.
GDPR is a declaration that personal data is sacrosanct, and that organisations will be held to account if they misuse, abuse or conceal attacks on it. If Uber wants to continue its rise across Europe it has to reverse its attitude to hacks, come clean and work tirelessly to make its protections and reporting systems watertight. It has much work ahead of it, but perhaps this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision.”