SearchSecurity, November 22, 2017; Comments by Willy Leichter
For awhile now, Uber customers have overlooked a growing number of the company’s sins. To name a few, this month the state of Colorado fined Uber nearly $9 million for allowing its employees to drive customers even though the drivers had serious criminal records and driving violations.
Last summer, Uber was caught badly mishandling the privacy of information about its drivers and customers, including using celebrity-name customers to its own advantage. The FTC imposed strict rulings on Uber, which the company agreed to abide by.
Uber breach affected 57 million users, covered up for a year
Now, it’s revealed that the company was hacked and data stolen for 57 million of its users a year ago. But instead of announcing that it had been hacked, the company tracked the hackers down and paid the thieves $100,000 ransom money in exchange for demanding they delete the stolen data and keep the event secret. Who knows if the hackers actually deleted the stolen data (likely not a safe bet), but even if they did, the news got out any way. The breach was discovered during a board investigation into Uber’s business practices.
Uber’s CSO Joe Sullivan and a lieutenant reporting to him were fired this week. CEO Dara Khosrowshahi says he wasn’t aware of the hack and cover up till recently, though he was informed mid September. He ordered an investigation and currently pledges to correct the company’s errant ways. Questions remain as to why the delays informing people.
Customer Reactions to Uber Missteps
How are customers responding? Some are remaining loyal, with the rationale that the service remains as convenient and one can’t blame the drivers for the company’s relentless missteps. Others have had enough, feeling with this last offense disrespects its customers one too many times. Those in need of a ride have other options from competitors like Lyft, who is noticing an uptick in business.
Of the 57 million customer records that were stolen, 600,000 included drivers’ license numbers so the company is offering free monitoring services to those customers (supporting the notion that the stolen data hasn’t been deleted).
50 States Have Breach Notification Laws
Among many, a key question rankles: aren’t there laws requiring companies to reveal when significant breaches to customer information happen? Indeed there are. 48 out of the 50 states have breach notification laws, Alabama and South Dakota being the only exceptions. Companies are required to notify customers if their information has been stolen. The first state to adopt such a law was California in 2003. Uber is headquartered in San Francisco.
Willy Leichter, vice president of marketing at Virsec Systems, Inc., said if the details of this Uber breach cover up are verified, it could be extremely damaging for the company.
“This is a staggering breach of customer trust, ethical behavior, common sense and legal requirements for breach notification. Paying hackers to conceal their crimes is as short-sighted as it is stupid," Leichter told SearchSecurity. "If this had happened after the EU GDPR kicks in, Uber would cease to exist. That may be the outcome anyway."
Uber Not the Only One Paying Ransoms
Perhaps most alarming of all is the FBI’s saying that ransomware payments are common, to the tune of nearly $1 billion a year. How many companies have resorted to this isn’t known but given that cyberattacks are on the rise and companies caught in the hot seat are desperate, attempts to buy their way out of the problem is an increasingly frequent response. How many have already happened that the public isn’t aware of is anyone’s guess.
Time will tell how many of Uber’s customers will choose to forgive, forget or migrate to other options. In the meantime, it’s never been more critical for companies to find better means to protect their data, particularly from attacks that target web applications.
Learn more about application layer defense