Uber’s Downfall yet again

In a yet another virtual slap to the way Travis Kalanick handled business, Uber’s new CEO Dara Khusrowshahi, recently revealed about the 2016 Data Security Incident. Uber disclosed that approximately 2.7 million UK customers and drivers were affected as a result of the data breach that occured almost a year ago, which was concealed until last week.

In October 2016, two hackers broke into their system and stole identifications of Uber’s software engineers. They accessed Uber’s account of cloud based storage on Amazon web services and stole 57 million records of Uber customers across the globe, comprising of names, email addresses and phone numbers. Besides customers, this breach also affected over 7 million US Uber drivers and their personal info including their license numbers were hacked. Travis and his team members discovered this a month later. The security chief officers Joe Sullivan and Kalanick decided to dig their grave deeper by not revealing this data breach to the authorities which is unlawful. The hackers demanded $100.000 in order to erase the stolen data which Uber paid.

It is worth commending Uber’s new CEO, Dara Khusrowshahi (since September 2017) for coming out in the open on his own regarding previous wrongdoings at Uber. It takes guts to own up to a mistake which evidently not everyone at Uber has. He first fired Joe Sullivan, and his assistant Craig Clark to clean up the mess (brownie points for doing that). Next, he unveiled information about this incident to the New York Attorney general and FTC on 14th November, resulting in the investigation and lawsuit for negligence being filed. He then wrote an email explaining this. In his email statement, Khusrowshahi stated: “None of this should have happened, and I will not make excuses for it…. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes…. We are changing the way we do business” (Uber, 2017).

What should the likely alternative be in such cases?

Imagining myself in the shoes of Kalanick, I can understand the hopelessness Kalanick must have faced at that point and “maybe” I might have paid off the hackers too if I had access to that kind of funds. But, I want to pose a question: “Would you risk a furious hacker broadcasting a record of 57 million people or worse, him selling this to your opponents or anyone who can misuse that data if you refuse to pay?”. This stimulates a second question “Are government systems quick, efficient and discrete enough to catch the hackers before they cause the damage?”.

Undoubtedly, it was a mind-numbing scenario and any founder would be willing to go to any extent to protecting the company and client data. However, taking steps such as, concealing the fiasco, for the purpose of safeguarding the firm are absolutely unforgiveable.

This debacle has taught us two key things:

1. Concentrate on your data security like never before.

Data security must be a priority for every organisation whether it be tech or non-tech. Data is gold and Data is Cyanide depending on who is in the possession of it.

This also goes back to this week’s class discussion, particularly for the debate claim that I was assigned, which stated that “Firms should be responsible for disclosing what data they collect about their users, where it is stored, and how it is used as well as for making clear what prospective tradeoffs customers are making with respect to privacy and data security”. From my point of view, a company must explain how and why they want to use an individual’s personal data at the outset based on their intentions at the time they collect it due to the privacy concerns associated with big data.

Although, banning large scale data collection is unlikely to be a realistic option to solve the problem, but transparency is the key to letting us harness the power of big data while addressing its security and privacy challenges. This further reinforces my argument that handlers of big data should disclose information on what they gather and for what purposes.

2. Accepting blame when you deserve it.

Not disclosing to the world that you screwed up somewhere or the hackers turned out to be smarter than you were expecting is an unjustifiable mistake. Several other companies including Yahoo and Target faced these violations too yet the difference is they owned up to their mistake.

Integrity, in the face of adversity, is a courageous path and it is evident Uber failed to walk this path.

If Travis Kalanick himself had accepted the blame last year, it would still have resulted in an investigation, some negative press and an examination of data security. However, the company’s integrity would have been in place.

Sadly, Uber failed to register that a reputation in the name of Integrity is the hardest to earn. I am very hopeful that Khusrowshahi will rebuild the dubious image Uber has built over the past years with numerous lawsuits and criminal cases its gathered for itself. Until then, Uber’s Business ethics are highly questionable and too much of what to do and a whole lot of what not to do.

References:

Uber. (2017). 2016 Data Security Incident: Uber Newsroom. [Online]. Available at: https://www.uber.com/newsroom/2016-data-incident/ [Accessed 1 Dec, 2017].