This week Uber revealed it was subject to a data breach affecting around fifty-seven million of its users and drivers, with nearly three million of the users affected residing in the UK. Unfortunately a large corporation being subject to a breach no longer has the shock it once did, but Uber’s case is slightly different as Uber has known about this data breach since October 2016 under its previous CEO, Travis Kalanik.
The data breach meant that hackers had access to customer email addresses, names, and phone numbers while also having the license details of around 600,000 Uber drivers. Uber’s strategy once learning of the breach was to pay the hackers $100,000 to destroy the data and ask them to keep quiet.
We don’t negotiate with terrorists
Uber’s behaviour after the breach raises a multitude of questions, the first I want to address is the ethics of paying hackers to delete any data they may have stolen. Throughout the last century governments have publicly taken a policy of non-negotiation with terrorists, the thought process behind this being that if governments capitulate to terrorist demands; whether monetary or otherwise, that this will incentivise further acts as it will appear to others that these acts work. At first glance this policy can look like the correct course of action.
The issue with modern data breaches is that they work far differently from terrorist attacks that have happened in years past. For example, in the eighties when kidnappings were more widespread in areas across Europe, generally there were few parties who would be willing to pay the high ransoms demanded for the hostage other than the government or families; making non-negotiation a more viable option.
Data taken today is far more liquid than assets gained previously. While an attacker may offer the data to the victim company first; if the company declines to pay the ransom demanded, it is quite simple for the attackers to sell the data retrieved to the highest bidder on the web or dark web who can then use the data for activities such as phishing scams; to gain access to other more lucrative sites the customer may use; or some other activity.
How easy data is able to moved around completely alters the responses possible and, in my opinion, means that instead of an organisation taking a default position of non-negotiation; at the very minimum an organisation will have to assess the ‘trustworthiness’ of an attacking group as well as what the effects would be if the data they hold were sold to a nefarious organisation.
For perspective as time has gone on previous governments who have taken the public stance of “we don’t negotiate with terrorists” have often been found to have been negotiating with the terrorist through back channels at the same time, adding to the idea that a blanket stance might not be a good idea.
Even Silence Has its Price
In June 2017 Uber’s CEO, Travis Kalanick, was forced to resign from his position with the assessment that he contributed to a poisonous company culture that in the long run would be harmful to Uber as a company. Travis Kalanick was then replaced with Dara Khosrowshahi recruited from Expedia. Mr Khosrowshahi was recruited into the role with the expectation that he would transform the company culture with the idea that ‘a new broom sweeps clean’. Indeed within the first few weeks of him moving into the position he stated that “there is a high cost to a bad reputation”.
Unfortunately though his actions do not appear to have fully matched the intention in the case of the data breach. Two weeks after being appointed to the role he learnt of the data breach occurring and did not disclose the breach until over two months later. This action puts Uber in breach of the Information Commissioner’s Office regulation that companies must inform them of the ‘essential facts’ of a breach within twenty four hours.
A lack of action would be harmful for any organisations image; Uber however is currently challenging the suspension of its London operating license. Its licensing difficulties were unrelated to a data breach, but the news will simply add to Transport for London’s case that Uber is not a fit and proper operator of public transport within London.
Phew! It’s Only My Email Address
The common refrain from companies once they disclose that a breach has happened is that customers can sleep safely as no payment or financial details were taken in the attack and Uber is no different in this case as it says only names, email addresses and phone numbers were taken.
For me this provides little reassurance as my personal information holds far more power and has far more permanence than my credit card details do. In the UK if a fraudulent financial transaction occurs with my credit card, I’m not liable for this and can claim the money back from my issuer, who in turn claim it back from the retailer or other means. If a fraudster still has my card details I can cancel my card and a new one is issued, or in the worst case my card will expire after approximately three years making them almost useless past this point.
My name, date of birth and other information are permanent and cannot be changed. This means that if a hacker gets them they can do far more harm. For instance, if they get my address and date of birth its quite likely they could bluff their way though phone support with a number of the services I use. Another good example with phone number is when a group intercepted the two factor text messages sent to a mobile number allowing them access to access a gmail account and on to a Coinbase wallet.
From my assessment people are far too worried about financial information being stolen than their personal information; which is understandable as if they have no money in their account at the end of the month they may not be able to pay their bills. However, their personal information can be far more harmful to lose in the long term and should be more closely guarded than it usually is.
A Good Bad Example to Follow
Uber’s data breach will be studied by organisations and in universities in years to come as the way not handle a data breach. From the outset of the breach, instead of being open and transparent it has attempted to sweep events under the rug and even once it appointed a new chief executive it took far too long to follow the correct course of action.
Missteps are still being made by Uber as it has yet to contact any of its customers affected by the data breach and has hidden any mention of the breach within the help section on their website. The NCSC has provided advice on what to do if you think you may be affected by the breach and have also advised that people remain vigilant for any possible phishing emails.
Hopefully other companies will look at Uber’s actions and learn, so if they do have a breach they inform relevant authorities and their customers as soon as possible. I can’t help but also think that if a high-profile company such as Uber can hide these events for this long there must be many other lesser-known companies out there who hope no one notices they also have had a data breach.