Breach, Data Security

Uber efforts to hide breach, delayed notification leads to $148M fine, settlement

A yearlong delay in notifying its drivers that their personal information was stolen by hackers will cost Uber $148 million, according to a settlement reached by the ride-sharing service and all 50 states and the District of Columbia. 

Uber was widely admonished last year when it revealed that not only did it hide the breach but it paid a $100,000 ransom through its bug bounty program to a 20-year-old Florida man to destroy data and keep the hack a secret.

“Uber’s payment of $148 million to settle compliance mismanagement is without precedent,” said Pravin Kothari, CEO of CipherCloud. “The first problem was bad enough - a breach which granted hackers access to the personal information of over 57 million riders and drivers. The second problem was much worse - Uber evidently paid the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident. A blatant disregard for governance and compliance, putting customers at risk.”

Indeed, "Uber compounded its troubles when it made the decision to hide the data breach in violation of California law,” said Paul Bischoff, privacy advocate with Comparitech.com, noting that the state “has some of the strictest privacy laws in the nation,” requiring the public disclosure of data breaches.

“Had there been no cover-up, the incident would have passed with relatively little commotion. After all, the information leaked in the breach wasn't particularly sensitive---no financial information or passwords were exposed,” Bischoff said. “To me, this fine is more about Uber's dishonesty than justice for victims."

The hacker stole the personal data of 57 million drivers and passengers and led to the resignation of then CEO Travis Kalanick, who reportedly knew of the incident and payout. 

Uber, which was already in hot water with regulators for a 2014 breach, “was under a legal obligation to notify regulators and to the impacted users and drivers,” Corey Williams, senior director of products and marketing at Centrify, said when news of the second breach broke last November.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," California Attorney General Xavier Becerra said in a release. "The company failed to safeguard user data and notify authorities when it was exposed."

Under the terms of the settlement Uber must promptly notify proper authorities of any future breaches. The company must also comply with state laws governing the protection of personally identifiable information (PII) and develop procedures for safeguarding data stored by third parties. 

“While this settlement is directly related to the incident at Uber, its impact extends well beyond one company. A successful lawsuit with a meaningful financial impact reminds other organizations about the full range of cybersecurity risks,” Tim Erlin, vice president, product management and strategy, Tripwire. “Financial settlement and fines are part of the risk equation when weighing out the costs and benefits of cybersecurity.”

 Since “the cover-up behavior was impactful in how this settlement played out,” Erlin said, “it’s a good reminder to all organizations of how a good breach response plan can help avoid poor decision-making in the midst of an incident.”

Kothari said the “takeaway lesson” from the Uber incident and resulting settlement “is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”

The “unfortunate event” underscores “why it is so critical for organizations to have a secure strategy for managing privileged and remote access to their systems,” especially those used to store sensitive information on customers or employees, said Tal Guest, principal product manager at Bomgar.

“With the ever-growing environments of connected systems and devices, the job of securing privileged credentials, identities, and remote access is an absolute necessity,” said Guest. “It is imperative that organizations realize these threats and take extensive actions to shrink their attack surface.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.