Ride sharing company Uber has escaped with a smaller than expected fine from the UK ICO as a result of a data breach in 2016. The fine, £385,000, is in response to Uber losing the details of 2.7 million UK customers and over 81,000 drivers. The company has also been fined €600,000 by the Netherlands ICO, the Autoriteit Persoonsgegevens.
Things brings the total in fines for Uber to almost $150 million. The company will now hope that the pain it has taken from that incident is now over. If so, it will allow it to focus on the other legal problems that it has.
What happened to Uber in 2016?
Uber was hit by hackers who exfiltrated millions of customer and driver records. The hackers contacted the then CEO, Travis Kalanick. Rather than warn customers, drivers and regulators of the data breach, Kalanick decided to pay $100,000 to the hackers on the promise they would delete the data.
In 2016, there was no legal requirement for Uber to report the breach. However, the UK ICO believes that this was a serious oversight. It’s Director of Investigations Steve Eckersley described this as: “A complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”
Eckersley also said that: “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
What does the industry think?
There has been plenty of comment offered by security companies over what happened. Most believe that Uber has moved on under current CEO Dara Khosrowshahi and is a very different company. That does not mean that a breach won’t happen again but if it does, it will be handled better.
Mark Adams, Regional Vice President of UK & Ireland, Veeam: “Uber has paid the price for those avoidable data security flaws. The hefty fine serves as an unfortunate reminder that breaches can happen to any business, and many will argue that the ICO’s punishment was entirely justified given the ride-hailing company’s incident response – which could be described as ‘apathetic’ at best.
“From a technology standpoint, knowing how to find and implement intelligent data management tools that can spot irregularities automatically and act accordingly is crucial… It’s near impossible to prevent all data leakage and data theft, but a strong and versatile incident response process can help significantly reduce the pain associated with these types of data breach issues.”
Jake Moore, cyber security expert at ESET UK: “Cyber criminals can do a lot of damage with a large breached list containing only names and emails so the ICO are determined to stamp out this type of activity – especially when it has been ruled ‘avoidable’. Having hackers know a set of live emails and names means they can send phishing emails or even attempt to work out the customers’ passwords.
“An incredibly large amount of people still use predictable or simple passwords. Together with previous and even recent high profile breaches, many people’s passwords are also readily available on the dark web so it can sadly be made very simple for the cyber criminals. There is no doubt that this fine would be higher if it had been post GDPR.”
Enterprise Times: What does this mean
Data loss, however large or small, is always an issue. Companies have historically paid too little attention to where their data is stored or how it is protected. That is changing with new privacy laws coming in across several countries. However, this doesn’t mean that companies have reacted adequately to the demands of regulators.
This is not just about Uber choosing not to inform people that they had been put at risk. The incomprehensible move to pay the hackers to delete the data without any evidence was a panic reaction. Anyone thinking that this could never happen again to any organisation is fooling themselves.
Earlier this week, Sophos reported that half of UK Directors would pay a cyber-ransom to avoid a GDPR fine. McAfee has also published research that shows an increase in social media attacks looking to manipulate share prices. Company executives are also likely to pay to stop those campaigns. Both of these raise new challenges for regulators. For listed companies this comes dangerously close to market manipulation which is a reportable issue. At the moment, regulators don’t have a policy over cyber-ransom and how it is dealt with. For companies, this is simply a cost of doing business. It is a risk issue that has to be dealt with.
Uber has done a lot to fix its problems since Khosrowshahi took over. For now it seems that the company just cannot shake the consequences of its past.