Top 5 Lessons learned from Uber’s data breach
The technology giant, Uber, has made some serious mistakes. But the good news is, the rest of us can learn from it (and avoid hefty fines and business irrelevance).
Towards the end of 2016, Uber experienced a massive data breach that compromised the Personally Identifiable Information (PII) of approximately 57 million users and drivers. The exposed database also included the license numbers of about 600,000 Uber drivers.
It took Uber approximately a year to disclose the security incident. Another two years later, the hackers plead guilty to the charges. In 2018, the company also paid $148 million for violating the state’s law (when it comes to data breach disclosure), which usually demands notification within 45 days.
You would think that the story ends here, but the repercussions are still ongoing. Uber’s former security chief Joseph Sullivan (who is now the Chief Security Officer of Cloudflare), was charged with obstruction of justice and (the concealment of a) felony.
Four years on, the obstruction and misprision changes stemmed from the alleged payment of $100,000 to hackers in 2016. Sullivan and the company also got the bad actors to sign a nondisclosure agreement about the incident. Federal prosecutors also allege that Sullivan deliberately misled the Federal Trade Commission (FTC).
Uber’s (mammoth) mistakes serve as an excellent example of what we shouldn’t do. These top five lessons learned are simple, yet critical to avoiding prosecution, fines, business irrelevance, or even worse, jail time.
1. Don’t cover up a security incident
The first is the most obvious lesson. Regardless of how bad it might be, don’t ever (attempt to) cover up a data breach. A cover-up's ramifications can be worse than the actual data breach, both for the company and the individuals involved.
2. Don’t wait a year to disclose a data breach
If you experience a security event, follow the disclosure guidelines set by appropriate governing bodies. If you’re required by law to report a data breach within 45 days, disclose it within that time frame. Waiting a year to reveal details about the data breach shows little to no regard for customers.
3. Don’t repeat the same mistakes
The 2016 data breach wasn’t the first time that Uber’s user data was accessed via Github. In 2014, hackers found a login key left in the code that Uber’s developers publicly posted on Github. This security event led to the data theft of 50,000 Uber drivers. If the company learned from its mistakes, the 2016 data breach that exposed millions of users' data could have been (easily) avoided.
4. Don’t store sensitive data in third-party repositories
Uber’s software developers stored sensitive login data on a third-party repository, Github. Software developers often use Github and similar repositories to collaborate on projects, track bugs, and distribute application versions. While such platforms certainly have their advantages, it’s vital not to store any PII.
5. Don’t trust threat actors
Uber paid the hackers a $100,000 ransom for the data and required them to sign a nondisclosure agreement. Trusting in the kindness of bad actors isn’t the smartest decision. What’s more, it also makes it difficult for law enforcement to bring hackers to justice. It’s always better to be transparent and deal with the fallout.
The echoes of Uber’s 2016 data breach will be heard for some time to come. Lawmakers have suggested that people need to go to jail before companies start taking data security and privacy seriously. As for now, it remains to be seen if Sullivan will do any time because of the infamous Uber data breach.
To learn more about protecting yourself from a data breach and how to respond to security events, schedule a commitment-free consultation now!