The San Francisco-based ride-hailing company finally admits that over 2.7 million UK users are amongst those whose personal details were compromised in a hack which took place over a year ago. The only thing any of us can do is learn some universal lessons from this spectacular example of exactly how NOT to handle a major data protection breach.
Store data, and the keys to access it, securely
It appears that the breach occurred because log-in information was stored on Github – a developer platform designed for collaboration, not a repository for confidential information. It looks like the passwords were stolen from there and used to breach Uber’s directories on AWS. This is a salutary reminder that no system is stronger than its weakest link, in many cases a human who is insufficiently aware of cybersecurity and their responsibilities under privacy law. These were developers, who might have been expected to know better.
A back-office hack like this is no defence against current data protection law, never mind GDPR, and this is a timely reminder to review and update you password management services. What is your organisation’s policy on password complexity, renewal, and storage? Is everyone aware, and complying effectively? Because:
Privacy and compliance is everybody’s responsibility
The ICO has always been clear that privacy by design is the best approach to ensuring alignment with data protection objectives right across an organisation. Compliance is simply too fundamental to be relegated to particular executive functions. Whilst from May 2018 GDPR will require pretty much all organisations processing data at scale to appoint a dedicated officer, their role is to ensure consistent and effective compliance across all data touchpoints.
But for each member of the team to understand and fully exercise their responsibilities for data protection, they’ll need:
- Policies – indicating how data will be processed, and putting boundaries on its use. Information that is easy and quick to refer to whenever anyone suspects there may be a risk present
- Procedures – for reporting breaches, escalating subject access requests, and safe data processing required by their role
- Training and reminders – training once is not enough; to keep data protection front and centre of employee awareness and ensure skills are updated, this must be regularly reviewed
- An organisational culture of honesty and psychological safety, where breaches can be rapidly reported, whistles blown if necessary, and damage limitation undertaken fast.
This final point was clearly missing by a mile at Uber…
Any cover-up only makes things worse
According to Gartner, around 80% of 2016 security budgets were allocated to protection, while only the remaining 20% was allocated to detection and response. So even if the executive intention was to behave with considerably more integrity than Uber’s previous management, resources to tackle breaches effectively seem generally under-resourced.
Under GDPR, enhanced responsibilities to notify to regulators and data subjects will require a response within 72 hours – and in a significant breach, you’re likely to need every one of those hours to get the job done. You can bet the ICO and other enforcers will take an extremely dim view of any attempt to cover things up. Prompt and effective response, and learning from it to prevent recurrence, are the only mitigation. By failing to publicly disclose the breach for over a year, Uber will be bracing for hefty fines from the many jurisdictions in which it operates, as well as its home state of California.
Trust and reputation take time to establish, and can be lost in a heartbeat
As if Uber wasn’t already staggering from investigations into its anti-competitive practices, losing its London operating licence, and allegations of systemic sexism, they have managed to squeeze in one more epic failure in 2016. Earlier in the year, prior to the sacking of Kalanick, its rival Lyft saw 7% growth in its customer base, according to analytics company 1010data .
Whatever fines global regulators finally settle on, that is likely to be as nothing compared to the ultimate cost of Uber’s lost of consumer confidence, not only due to the breach occurring, but the appalling way in which it was concealed.
And if you still use the Uber app, then make very sure you have changed your password, and made certain that the same combination of email address and password are not in use for any other purpose. Apparently the hackers signed a non-disclosure agreement before receiving their pay-off… Hmm, how reassuring is that? Whilst the UK digital minister has stated that users were not at risk of direct financial crime, there have been multiple accounts of people’s Uber accounts being hacked and used by Russian travellers.
Coming so soon after the Equifax breach, this story only confirms the critical position of all matters related to data protection and privacy in the public eye within the UK and globally, and serve as a timely reminder of how the clock is ticking for GDPR in May.
About the author:
A regular collaborator with Assuredata, Maya Middlemiss is a freelance B2B writer and consultant, with a professional background in consumer research and community management. She is an associate at Virtual Not Distant and Insight consultant at Management 3.0, and writes and speaks on a variety of topics from location independence to content strategy.