WHAT WE LEARNT FROM THE UBER INCIDENT?

Samantha Cruz
Cyber Research & Development

On Tuesday, November 21, Uber’s newest CEO Dara Kosrowshahi confirmed a data breach on Uber’s system that happened last October in 2016, but only made the news a year later in 2017. As Khosrowshahi explained in Uber’s press release: “[at] the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

UNDERSTANDING THE INCIDENT

So what happened?

In brief, hackers broke into Uber’s Amazon Web Services (AWS) server through Uber’s private Github account and downloaded data from it back in October 2016. The data breach resulted in the exposure of the names and license numbers of about 600,000 Uber drivers in the United States (US), alongside the Names, Mobile Numbers, and Addresses of about 57 million Uber riders from all over the world. Luckily, all data relating to trip location history, financial information, sensitive personal data were reluctantly not exposed from the incident. Undoubtedly a definite sigh of relief amongst the millions of Uber customers around the world.

Choosing not to publicise the incident, Uber decided to pay the hackers US$100,000 to destroy the data. Uber’s Chief Security Officer Joe Sullivan and one of their deputies were subsequently relieved from their positions for — among other malpractices — not disclosing to affected users that their accounts were compromised. Affected drivers were notified of the data breach ,and subsequently offered theft and fraud protection measures. In addition they were advised to stay on the lookout for signs of fraud on rider accounts.

Right after the breach was announced to the public, Washington State’s attorney-general filed a class-action lawsuit against Uber for failing to notify drivers that they were affected by the breach. Subsequently on 2 Dec 2017, three Uber security chiefs resigned from the company. The three who quit were Jeff Sullivan’s Chief of Staff Pooja Ashok, and engineers Prithvi Rai and Jeff Jones who handled physical security of where Uber’s servers were actually housed.

WHAT NOW?

The aftereffects of the breach are still unfolding as you read this, but for a start it has heightened the call for stronger data protection policies. In addition, it has also raised the critical importance of disclosing any security breaches instead of sweeping them under the rug in an attempt to ‘save face’.

In choosing not to disclose the data breach, Uber ultimately failed to comply with several laws and regulations in several parts of the world. Lawyers estimated the damages to value at around US$500 million. The disclosure also came at a time where Uber was trying to close a deal with the Japanese firm Softbank Group Corp, where the firm planned to invest at least US$10 billion for at least 14 percent of the company. Softbank has not made any comments regarding the plans for possible re-negotiation.

Unfortunately, this is not the first time Uber violated data protection laws. Last August 2017, Uber settled complaints when it failed to prevent improper snooping on its drivers and riders. According to the Federal Trade Commission (FTC):

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,”.

Luckily for the wider business community, Uber’s security breach highlighted the many ways companies may bypass data protection policies. This can range from bribing hackers (like Uber’s case), to exploiting exceptions and loopholes in various data protection policies.

WHY DATA PROTECTION MATTERS

For any organization, the protection of its sensitive digital assets is what prevents — or at least mitigates — the downfall of a company. For many enterprises, it may feel like a lot of work because it increases the number of bureaucratic loopholes for an organization. But there are many reasons why companies should implement such measures to protect their data from harm. The most important reasons for enterprises to implement data protection procedures are the financial and reputational repercussions. Apart from these more ‘direct’ losses, there are also the ‘indirect’ losses like: i) the trust amongst investors, ii) its customer community, and iii) any establihsed reputation facilitating business expansion.

Concurrently, government institutions are cracking down on companies that fail to comply with Data Protection regulations. Some of these regulations are desgined to protect the public through defining what information must be retained, for how long, and under what conditions. While others are designed to ensure the privacy pertaining towards the submitted information. Failure to comply with such regulations can result in hefty fines, or worse, being prosecuted for criminal liability.

TIME IS MONEY, LITERALLY.

The loss of data ultimately equates to the loss of time — usually in the form of productivity. Time, which can be better used to generate revenue is easily lost to trying to recover lost data, rebuilding the brand, and hunting down perpetrators. A poor data protection policy may leave push away loyal customers, who are waiting prolonged periods for systems to be restored. During that time, employees may be sitting idle, or only able to work at reduced capacities. Any combination of such outcomes can have severe ramification on an enterprise’s corporate survivability.

There are many things that can happens if data is not protected. In cases like these, prevention quite often, better than a cure.