When you submit your name, address, or phone number to a company or website, do you ever consider where your information may end up? Millions of Uber users in the United Kingdom and the Netherlands, unknowingly, had their information exposed due to a huge data breach in November of 2016. Uber’s cloud servers were accessed which included users personal information, as well as their locations and license plate numbers.
The UK Information Commissioner’s Office said the breach was caused by a “series of avoidable data security flaws.” This means the actions that are necessary to protect the user’s data were neglected by the company. Customers nor employees had any knowledge or notification of the security breach for over 12 months preceding the scandal. According to the ICO, the two hackers responsible held the information for a ransom of $100,000 whereas Uber has admitted to paying in attempt to cover the breach and have the data deleted. The immoral and irresponsible decisions made by Uber have cost the company over $1.1 Million.
The Commissioner’s Office criticized how the attack was handled by stating, “Uber USA’s decision to treat the incident as a bug bounty rather than a security breach demonstrates an inadequacy in its decision making when contacted by the attackers in November 2016.”
Uber was fined $678,000 in the Netherlands and $491,000 in the UK under the old Data Protection Act of 1998. The current act, EU’s General Data Protection Regulation (GDPR), would have charged them up to 4% of their global revenue, which would have cost them significantly more.
The company has reportedly made several technical and nontechnical improvements in their security systems since the attack. They have fired their Chief Security Officer, Joe Sullivan as well as deputy Craig Clark for their involvement in the failed rendezvous. They have also hired their first chief privacy officer, data protection officer, and a new chief trust and security officer.
Unfortunately, it took a $1.1 million fine and the loss of customer data for the company to do the right thing. It is easy to point out flaws in others but, honestly, most companies are no different than Uber waiting for the negative event to take place before taking their cyber-security program seriously. Most cyber professionals lack the knowledge, skills, and abilities to address today’s cyber threats. Combining the lack of a skilled workforce with the fact that corporate executives continuously fail to see the value of investing in cyber protections and it’s no wonder these things continue to happen! We always believe bad things will never happen to us… until they do. Then we act surprised and say things such as “we learn from our mistakes.” I look forward to a day when we are wise enough to learn from other’s mistakes instead of only learning from our own.