Data Breach? Uber Has Bigger Problems

After ride-hailing service Uber discovered it had been PWNd by outside hackers who obtained the names, email addresses and mobile phone numbers related to some 57 million user accounts globally and the driver’s license numbers of around 600,000 drivers in the United States, the company sprung into action, paying the hackers $100,000 to delete the stolen data and to keep the breach quiet. For a year.

The company admitted it learned of the incident a year ago, but did not let the drivers or the riders know about it. On purpose. Deliberately. Intentionally. To keep it quiet.

AWS Builder Community Hub

Uber’s problem goes well beyond not preventing the breach, not detecting it and responding poorly. It goes well beyond hiding the fact of the breach and paying hackers to conceal the breach. It goes beyond failing to comply with data breach disclosure laws (assuming they apply to the kind of data breached), and failing to protect its customer base and employees—or, should I say, independent contractor drivers. It goes well beyond not immediately providing ID fraud/theft mitigation and monitoring for its drivers and customers, and not immediately enlisting the help of law enforcement.

Nope. Uber has a management problem.

You see, among the more than 57 million people who apparently did not know that Uber had suffered a massive data breach was the new Uber Chief Executive Officer. Uber CEO Dara Khosrowshahi released a statement indicating that he “recently learned” of the hack, and that it was wrong to not notify the customers and drivers. That’s why Uber released the notification. Khosrowshahi became CEO of Uber (having left Expedia) in September of this year.

What this means is that either Uber’s old CEO, made a conscious decision NOT to disclose the breach (and to conceal the fact) OR the OLD CEO was similarly unaware of the breach. So, Uber as a company learned about the breach a year ago, but its CEO only “recently learned” of that fact. Unless we measure “recently” in geologic frames of reference (mammals appeared on the planet only recently …) this means that the IT staff, the legal department, the compliance staff, the risk management staff, the forensics staff, the CISO and all of the components of the Uber incident response program knew about a massive data breach and didn’t tell the CEO. Or that the old CEO simply didn’t care.

Or, just as bad, they didn’t know themselves. Either because nobody told them, or because there is no incident response capability.

Did I mention that Uber has bigger problems than not telling drivers and customers about the breach?

It is inconceivable (I know, I do not think that word means what you think it means) that the IT staff responding to the breach, interfacing with the hackers and paying them off didn’t at least mention something to, say, the General Counsel’s office. Someone authorized the payments. Someone opined that no breach disclosure was required. I hope.

This is why companies need to be prepared for breaches. And have a response plan. Test it. Often. And, while you’re at it, if you have a massive breach, mention it to the CEO. Maybe as you are preparing your résumé.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 194 posts and counting.See all posts by mark