A data breach at Uber is the latest to expose personal information on millions of Americans, and as usual there was a delay in disclosing it — but this case has a twist.
The breach that exposed information on 57 million customers occurred more than a year ago, and some company officials covered it up, even reportedly paying the hackers $100,000 to destroy the data in hopes of keeping it off the black market. “None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said Tuesday, adding that the company launched an investigation and fired two people. New York’s attorney general has opened an investigation.
There are a couple reasons the breach happened, according to perspectives MC sought or received from cyber firms, all via email. “The fact [that] accessing one system allowed access to all that info, the fact Uber kept this quiet, and the fact Uber fired two people as their primary response all shows a lack of culture of security,” wrote Guy Podjarny, CEO and co-founder of Snyk. Added George Avetisov, CEO of HYPR: “The Uber breach is another example of what happens when we let companies centralize our personal data. How can personally identifiable information remain ‘personal’ if it belongs to a giant like Uber?”
Uber hiding the breach works to the advantage of the hackers, said Sunil Madhu, CEO of Socure: “What this Uber breach shows us is that many companies fear the reputational harm to their brand that they choose not to disclose these breaches in a timely manner, pretty much assuring that the fraudsters have sufficient time to monetize the stolen data.” Uber claims it has seen no instances of fraud resulting from the pilfered data, but vowed to closely monitor the affected accounts.
It could take stiffer penalties for companies to avoid leaving data vulnerable, multiple firms said. Ken Spinner, vice president of field engineering at Varonis, blamed the relatively small size of government financial penalties company can face in the United States versus what they will face in Europe when a new data protection regulation goes into place. “The Uber hack is just the latest example of a widespread culture of lackadaisical cyber practices and a lack of executive accountability — this mischaracterizes corporate risk and cripples cybersecurity efforts,” said Amit Yoran, CEO and chairman of Tenable. “Executives and organizations must be held accountable for both exercising a reasonable standard of care to protect their systems and their data and for discovering and disclosing breaches in a timely manner.” Ryan Wilk, vice president of customer success at NuData Security, owned by MasterCard, still said “It is refreshing to see a company taking such quick and decisive action to earn back the consumers’ trust.”