When data security goes uber-wrong

16 Feb 2018 Lumina Technologies
data security goes wrong | Lumina Tech

After a number of headline-grabbing data security breaches , the cab firm Uber is publicly learning the price of not taking cybersecurity seriously. It has recently come to light that in 2016, it suffered a catastrophic security breach that resulted in the theft of the personal details of millions of customers and drivers all over the world.

It appears the data breach was caused by carelessness. Someone wrote their password to administer the system on a third-party server’s website – a hacker stumbled across the password and used it, blackmailing the company to the tune of $100,000 in return for deleting the data.

Uber then made things so much worse by making two major mistakes:

  1. Uber paid the ransom! Surely the first rule of extortion is that if you pay, you end up locked into a cycle of payments – how could Uber ever be certain the hackers would delete the data?
  2. Uber’s corporate governance team tried to cover up the breach and did not report it. Under the new GDPR laws, this will be illegal. The company is now under investigation in the United Kingdom, USA, Australia, and the Philippines and could face multiple fines.

Future implications

By its actions, the company has made a huge rod for its own back. It is currently appealing against Transport for London’s decision not to renew its licence to operate in the capital. Before the breach came to light, TfL had already ruled that Uber was not a “fit and proper” company to run taxi services because of Uber’s “conduct and approach”. Covering up such a catastrophic security breach will undoubtedly work against them.

A civil lawsuit has already been filed in the US against Uber on behalf of the drivers and customers whose details were hacked. The complaint stated that “Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” It is likely that, if the lawsuit is upheld, the high level of civil damages coming, in addition to official fines, could spell the end of the company.

It is therefore up to every business, however large or small, to take responsibility for their data security. We must all take our data security seriously, especially once the GDPR takes effect next May.

If you would like to discuss any aspect of data protection or find out how the GDPR will affect your business, please contact us to arrange an appointment.