Instead of informing the public about a data theft that took place in 2016, Uber paid hush money to the hackers to destroy the data in an alleged cover-up. In order to avoid a protracted and embarrassing legal battle, the company will pay the highest settlement ever in such a case.
For Uber, this recent data leak is becoming very expensive. As part of a settlement with US authorities, the company has agreed to a pay $ 148 million, as New York's Attorney General Barbara Underwood announced this week on behalf of all 50 US States and the District of Columbia.
It is the highest settlement ever to be paid in a data breach case.
Uber paid the hackers to keep quiet
In November 2017, Uber admitted that hackers had stolen the personal data of 57 million customers and drivers from Uber Technologies Inc. after gaining access to data stores the year prior in October 2016. The stolen data included names, email addresses, mobile phone numbers, and license plate numbers. The disclosure was made after the breach was discovered by US regulators investigating Uber for previous claims of privacy violations.
Uber originally discovered the breach in November 2016, just a month after it had occurred, at which point Joe Sullivan, then Chief Security Officer at Uber, and his team paid the hackers $100,000 to destroy the data and did not inform regulators or users that any personal information had been stolen. As of now, Uber has not yet commented on how the company can be sure that the hackers did in fact destroy all or any of the data.
What’s next for Uber?
“None of this should have happened and I will not make excuses for it,” said Uber CEO Dara Khosrowshahi. “We are changing the way we do business.” Khosrowshahi joined Uber in November 2017 and has been pushing to reform the business's data security practices and restore its image.
In response to these revelations, further measures to improve data security have been taken at Uber, such as seeking professional consultation on their data security practices and the introduction of a "corporate integrity program" to encourage employees to blow the whistle on unethical behavior.
Could this have been avoided?
In our last post regarding the uber breach we asked “which Chief Security Officer is 100% sure that every employee is acting according to the recently enacted password policy?”
Network protection and access control are very important but closing every gap in a complex enterprise network is simply not possible.
What if we have to take a different approach to data security? What if a company were able to say: “We may have been hacked but, all is well, the data the hackers got a hold of is completely useless!”
The EU’s GDPR supports solutions like this and states that if stolen data is adequately protected, then there is no obligation to disclose the breach, since no actual sensitive data has been compromised. This means that in the event of a breach, personal data is kept safe and the affected company doesn’t have to worry about legal battles, fines, or settlements.
comforte already makes this possible through its patented data-centric security solution.