UBER: A master-class in how not to handle a serious data security breach

According to the Cambridge Dictionary, ‘uber’ means “extreme”. In the case of Uber, the ride-sharing company, it seems to mean being extremely good at failing to take data protection seriously.

On 22 November 2017 it emerged that, in 2016, Uber suffered a data security breach when hackers accessed the email addresses and mobile phone numbers of 57 million customers and drivers (and that within that number, 600,000 drivers had their names and licence details exposed).

“None of this should have happened,” said Uber’s chief executive, Dara Khosrowshahi. This may be considered ‘fair comment’, especially when you consider that Uber has form: it was fined $20,000 in 2014 in the US for failing to disclose a considerably less serious breach.

What has the ICO said about this?

Unsurprisingly, the Information Commissioner’s Office (ICO) has “huge concerns about Uber’s data policies and ethics”, especially as it has also emerged that Uber paid a ransom to the hackers to delete the data.

The ICO Deputy Commissioner said these actions were unacceptable and that “If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed. It’s always the company’s responsibility to… take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies”.

Better sotaxioner than later?

On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect. Amongst other things, the GDPR will increase the maximum fine for data security breaches from £500,000 to €20million (currently about £18million), or 4% of turnover, whichever is the greater. Uber may be fortunate that the ICO cannot yet impose that higher level of fines.

Any other consequences?

Although Uber may face a large fine, that may turn out to be the least of its problems. It’s quite possible that this breach (and how it’s been handled) will damage its reputation which, although harder to quantify than a fine, could far outstrip any financial penalty. And that could have significant business consequences – who knows if it will have any bearing on its London licence appeal?

Uber’s chief security officer has left the company, as has their in-house lawyer.

And finally

Suffering a major data security breach is bad enough. Hiding it even worse.

Leave a Reply

Your email address will not be published. Required fields are marked *