We cannot say we are surprised. The company has had a longstanding tradition of skirting the laws, but this act could serve as a dictionary entry for the word ‘brazen’.
The breach that the company experienced occurred in October 2016. It was a massive, global breach where personal information of some 57 million Uber passengers and drivers was stolen, according to a Bloomberg report.
50 million users saw their names, e-mail addresses, and phone numbers taken. Additionally, 7 million drivers were affected, and 600,000 US drivers saw their driver’s licence numbers leaked. Social security numbers, credit card information and trip details were not affected, Uber claims.
The hackers obtained login credentials from GitHub and used them to access confidential data stored on Amazon’s WebServices, masquerading as developers. The company did not use any encryption methods to store data.
The criminals then blackmailed Uber and extorted money from the company. By then, Uber should have disclosed the existence of a breach, even if they chose to pay off the attackers.
The hot potato is the product of former controversial Uber CEO, Travis Kalanick. Mr Kalanick was made aware of the breach in November 2016, and he decided to pay off the hackers who then reportedly deleted the data.
The response to the breach was so bad that various experts claim that, compared with Uber, Equifax is a positive example of data handling. As a reminder, the Equifax breach left over 145 million people affected, and the company is facing allegation of covering up the breach and insider trading.
To add insult to injury, Uber was already in negotiations with US regulators about previous, separate breaches and violations. They have been fined $20,000 by a New York court for an unrelated breach in 2014.
The company also received a lot of bad press for its ‘greyballing’ practices, i.e. deceiving law enforcement officers in order to avoid getting their vehicles impounded, as well as for allegations of sexual misconduct and gender discrimination that lead to ousting of Mr Kalanick.
The current CEO, Dana Khosrowshahi, has repeatedly stressed that Uber has begun changing its corporate culture for the better. This scandal will certainly put a wrench in the works, but getting it out in the open was perceived as a way to start anew.
As always, hindsight is 20/20, as Uber now claims they should have reported the breach. “None of this should have happened, and I will not make excuses for it. We are changing the way we do business,” claimed Mr Khosrowshahi.
Joe Sullivan, an outgoing chief security officer, was sacked by Khosrowshashi along with Craig Clark, a senior lawyer from Sullivan’s team. The management also hired Mandiant, a cybersecurity company, to investigate the circumstances of the breach.
In a bid to placate drivers and ease tensions, Uber will provide free identity protection and credit protection monitoring to all the affected drivers.
But this approach may not work completely. Uber was hit with a class action lawsuit in federal court in Los Angeles, mere hours after the breach was disclosed, and there is no doubt disgruntled drivers will seek justice.
The UK, US, Filipino, and Australian governments have already gone public with their plans to investigate the company. The Guardian reports that The New York state attorney general’s office has launched a probe into the data breach.
Dealing with the consequences of the breach will certainly be costly. The company can expect fines and even more lawsuits, even if consumer behaviour doesn’t change.
Sadly, news of such breaches is nothing new. Find out more about the worrying trend of data breaches.