Uber Hack: Hiding it Was Bad, But This Is Even Worse
23 November 2017 00:00
The scandal is just the latest of wrong turns for “everyone’s private driver”, and leaves us begging the question - “what the hell were you thinking?”.
So Uber has just announced a huge breach that exposed the details of 57 million customers and drivers. Problem is - it was last year… and they didn’t tell anyone about it.
Well, to be exact, that isn’t the only problem - Uber then paid $100,000 in ransom to have the hackers delete the stolen data.
Concealing the breach is bad enough, but it could get even worse
To hide a massive breach from consumers is pretty much as bad as it sounds. From an ethical and safety angle, it’s scandalous to think that the people affected weren’t notified of the breach in order to reduce any potential harm this exposed data could cause them.
But, for Uber themselves, the repercussions of hiding this breach could have been so much worse - not least due to us only being a few months away from the alteration of data protection laws inflicted by the mighty GDPR.
For the of you who don’t know (which is very unlikely seeing as how it seems to be everywhere we turn!), GDPR will come into effect from May onwards and impose EU countries with strict laws to offer consumers greater control over the data they share with companies.
In other words, these new rules mean that companies have to notify data regulators about a breach within 72 hours of becoming aware of a hack - meaning that Uber would have missed that window by, let’s say… a long time.
Similar read: Ransomware - Why you should never pay up
Companies in breach of the regulations can be slapped with fines of 4% of global annual turnover or 20 million euros (whichever is higher). But, as Uber hasn’t released its recent figures, we can’t yet take a guess of the financial cost of the breach - but you can bet your bottom dollar that the figure would be high.
What can be said though, is the reputational damage of Uber will be significant, to say the least. Sure, this sort of damage is harder to quantify, but yet another huge mistake by the firm has added another nail to the coffin.
Should they have paid the ransom? Probably not.
Whether a business should ever pay the ransom to regain access to their data is a question that has divided security experts for years. To be fair, it’s a tough question to answer, mainly due to just how valuable data is nowadays, as well as how damaging it can be when in the wrong hands.
But for Uber to pay $100,000 to have this data disposed of is a whole new debate.
How do we really know that this data hasn’t been replicated? After all, cyber criminals are hardly the most trustworthy people you’re likely to come across. If we use past examples of ransomware attacks, people who pay the demands of the criminals often don’t receive their data.
But it isn’t just the lack of trust that should make a business seriously consider keeping their wallets firmly shut. Paying the ransom alone is seen as a huge encouragement for cyber criminals to carry on targeting businesses. To say that Uber has now made a slight contribution to the already hefty growth of ransomware attacks is no understatement.