Author(s): Raghu Gopal
The Uber data breach that surfaced last week is a major development on several levels. The hack affected 50 million customers and 7 million drivers. Customer information exposed includes e-mail addresses and phone numbers of Uber passengers around the world. For drivers, additional data was stolen.
In 2016, two hackers downloaded the data from a third-party server and approached Uber, demanding $100,000 to delete the information. Uber paid the sum and pushed the individuals to sign non-disclosure agreements. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a "bug bounty", a common method for technology companies in which they pay "ethical hackers" to attack their software to find vulnerabilities.
These days, high-level hacks happen often, causing a frustrating shoulder shrug among some consumers and long-term anxiousness among others. Recently, hackers have stolen consumer data from Anthem, Equifax, Target and Yahoo.
The way Uber handled the breach underscores the extent to which its executives were willing to go to protect the ride-hailing giant's reputation as well as its potential $70 billion valuation. Although the major cost of the leak could ultimately be the loss of customer trust, US state and federal agencies are investigating. Most states have data-breach notification statutes, including California, which pioneered the laws. The attorneys general of Connecticut, Illinois, Massachusetts, Missouri and New York have said they're looking into whether Uber infringed these laws.
The taxi-hailing company could also face scrutiny from the Federal Trade Commission, one of the regulators governing privacy policies in the US. The commission penalized Uber in August 2017 over privacy and security violations, including allowing employees to access information about customers' trips. Now the commission is likely to revisit Uber's practices. Regulators in other countries such as Australia, the Philippines and the UK said they're also investigating Uber's handling of the attack. Under new European legislation coming into force in May 2018, this sort of breach and the way it was handled could attract a very large fine, up to 4 percent of worldwide turnover.
It's the thread of the incident that's under particular scrutiny. Uber waited more than a year to publicly disclose any information about the hack, meaning that affected individuals were unaware that their information was taken. The payment of what could be described as hush money is also being questioned.
This data breach is another black mark on Uber's reputation. The company has been suffering through a string of incidents spanning several continents, but the exposure of personal information of tens of millions of individuals will require Uber to be extra cautious. There shouldn't be a trade-off between convenience and confidence.