After ride-hailing service Uber discovered it had been PWNd by outside hackers who obtained the names, email addresses and mobile phone numbers related to some 57 million user accounts globally and the driver’s license numbers of around 600,000 drivers in the United States, the company sprung into action, paying the hackers $100,000 to delete the stolen data and to keep the breach quiet. For a year.
The company admitted it learned of the incident a year ago, but did not let the drivers or the riders know about it. On purpose. Deliberately. Intentionally. To keep it quiet.
Uber’s problem goes well beyond not preventing the breach, not detecting it and responding poorly. It goes well beyond hiding the fact of the breach and paying hackers to conceal the breach. It goes beyond failing to comply with data breach disclosure laws (assuming they apply to the kind of data breached), and failing to protect its customer base and employees—or, should I say, independent contractor drivers. It goes well beyond not immediately providing ID fraud/theft mitigation and monitoring for its drivers and customers, and not immediately enlisting the help of law enforcement.
Nope. Uber has a management problem.
You see, among the more than 57 million people who apparently did not know that Uber had suffered a massive data breach was the new Uber Chief Executive Officer. Uber CEO Dara Khosrowshahi released a statement indicating that he “recently learned” of the hack, and that it was wrong to not notify the customers and drivers. That’s why Uber released the notification. Khosrowshahi became CEO of Uber (having left Expedia) in September of this year.
What this means is that either Uber’s old CEO, made a conscious decision NOT to disclose the breach (and to conceal the fact) OR the OLD CEO was similarly unaware of the breach. So, Uber as a company learned about the breach a year ago, but its CEO only “recently learned” of that fact. Unless we measure “recently” in geologic frames of reference (mammals appeared on the planet only recently …) this means that the IT staff, the legal department, the compliance staff, the risk management staff, the forensics staff, the CISO and all of the components of the Uber incident response program knew about a massive data breach and didn’t tell the CEO. Or that the old CEO simply didn’t care.
Or, just as bad, they didn’t know themselves. Either because nobody told them, or because there is no incident response capability.
Did I mention that Uber has bigger problems than not telling drivers and customers about the breach?
It is inconceivable (I know, I do not think that word means what you think it means) that the IT staff responding to the breach, interfacing with the hackers and paying them off didn’t at least mention something to, say, the General Counsel’s office. Someone authorized the payments. Someone opined that no breach disclosure was required. I hope.
This is why companies need to be prepared for breaches. And have a response plan. Test it. Often. And, while you’re at it, if you have a massive breach, mention it to the CEO. Maybe as you are preparing your résumé.