Wait. What? — Uber concealed a data breach of 57 million people’s data !?!
In another “virtual slap” to the way Travis Kalanick executed business, Uber’s new CEO Dara Khusrowshahi, recently disclosed about the data breach that happened almost a year ago at Uber.
Uber data breach - What exactly happened?
Two hackers broke into Uber’s system and stole credentials of Uber software engineers. They then accessed Uber’s account of cloud based storage on Amazon web services and stole the data of more than 50 million Uber drivers from across the globe — Names, email addresses, phone numbers etc. This included the personal info of 7 million plus US Uber drivers (License numbers included). This happened in October 2016 while Travis and his team learnt of it a month later in November 2016.
The hackers asked for $100.000 to delete the stolen data. Uber paid.
To dig their grave deeper, Uber security chief Joe Sullivan and Kalanick decided to not disclose this data breach to the authorities. Which is illegal. Facepalm.
How did the Uber data breach become public?
It’s nothing short of commendable on the part of Uber’s new CEO Dara Khusrowshahi come out in the open on his own about past wrongdoings at Uber. It takes guts to own up to this.
First thing he did is to kick out Joe Sullivan and his close aide Craig Clark to clean up the system. Brownie points for that.
Next, he disclosed about this incident to the New York Attorney general and FTC on Tuesday. The investigation and lawsuit for negligence that followed as a result are no-brainers.
Third, he wrote an email explaining this. In his email statement, Khusrowshahi said: “None of this should have happened, and I will not make excuses for it…. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes…. We are changing the way we do business”
What should the possible recourse be in such cases?
Let me get this clear, I am not an absolute authority giving a conclusive solution. I’m analysing this from all angles.
I’m a tech founder too, and I recognise the need and desperation a founder experiences to have your customers trust you.
Imagining myself in Travis Kalanick’s shoes, I can fathom the desperation Kalanick must have faced at that point and “perhaps” I might have paid off the hackers too if I had that kind of money.
I ask you this — Would you risk a pissed hacker making public 57 million people’s records or worse, him selling this to your competitors or anyone who can misuse that info, just because you don’t pay?
Or are Govt. setups fast, efficient and discrete enough to nab the hackers before they can do the damage ?
It was indeed a mind-numbing situation and a founder is driven to push boundaries to safeguard company and client data.
But the next steps are totally unjustifiable — Hiding this fiasco.
All said and done, there are two key learning from this debacle:
1. Focus on your data security like never before.
Data security must be a priority for every business- tech or non-tech doesn’t matter there.
Data is gold and Data is Cyanide — depends who has it.
2. Own up to your mistakes.
Not telling the world that you effed up somewhere or the hackers turned out to be smarter than you were expecting is an unforgivable mistake. Yahoo, Target etc faced these breaches too. But they owned up.
Adversity tests Integrity. Uber failed the test.
Had Travis Kalanick himself owned up to this mistake last year, it would still have led to an investigation or enquiry, some negative press and a debate on data security. However, Uber’s integrity would be in place.
Unfortunately, Team Uber failed to register that a reputation of Integrity is the hardest to earn.
As a leader I am very hopeful, Dara Khusrowshahi will reconstruct the dubious image Uber has built over the past years with multiple lawsuits and criminal cases its accumulated for itself.
Until then Uber’s Business ethics should become a complete subject in Business schools. Too much action there these past years. What-to-do and a whole lot of what-not-to-do.