Why The Uber Breach is "Driving" Me Crazy...

in cybersecurity •  7 years ago 

So last week brought us the wonderful news that Uber had paid an attacker $100,000 to cover up a breach of 57 million records that had been stolen in October 2016, and I've been intentionally soaking up all the information before deciding to write this post.

Firstly Uber is not the only organisation in history that has tried to cover up a breach, in fact extortionists such as The Dark Overlord often use this tactic to convince organisations to pay ransoms not go public about breaching defences and exfiltrating data - but to intentionally cover up a breach is a dangerous tactic for many reasons covered later in this post.

Where this incident becomes interesting is the specific measures deployed by Uber to cover up the breach. Firstly paying hackers $100,000 to "delete the data", but also making them sign a NDA- is a bold tactic!! Furthermore, the company then wrote the payout down as a "bug bounty" to a security researcher... they certainly did their research, on the Uber Github repository anyway!

Although the amount of data stolen is serious, compared to Equifax or Yahoo it is not nearly as bad. However, similar to Equifax, how Uber handled the breach may have many repercussions including consumer confidence (trust), and now an impending lawsuit from the Washington Attorney General Bob Ferguson.

Covering up a breach for over a year is bad for the following reasons...

  1. Empathy. By covering up the breach Uber immediately lost any potential empathy or credibility with those affected by the breach. The statement made by Uber did little to reassure or create empathy with very large user base. These two factors compounded by previous public scandals may add further fuel to the fire.

  2. It exposes the victims. It is very unlikely the hackers did delete the data stolen, why would they? Get paid $100,000 to remain quiet about the breach, and then privately sell the data on hidden market places to private buyers - its perfect win/win scenario.

Not reporting the breach means that potentially victims won't have time to react to the breach and could have their identity stolen or further attacks against them such as Vishing and Smshing leading to financial crime. Not thinking about your customers first in a breach never ends well!

Remember - customers before profits, because without customers there are no profits!

  1. Lawsuits and Breach of Regulation: Uber took the stance of "pay to make the breach go away", the reality is that even with the most robust whistle-blower policy, breaches like this never remain hidden. This is a prime example of why regulation is needed to safeguard consumer data- and why EU GDPR will help drive this.

Already the Data Privacy Regulators in the UK, Italy and the US have announced plans to investigate and a class action lawsuit has been filled in California, the cost of this breach will most likely exceed 50 times that of the original $100,000 payout to the hackers.

In Summary

Smaller tech companies should take note, especially those that store EU data, hiding a breach not only could cost you upto 4% of your turnover but will ultimately lead to some sort of class-action and long lasting damage to your reputation and consumer trust.

But also doing the right thing by your customers you always get the chance to rebuild trust and get some empathy, hide the breach and you lose that right.

I'm also not saying you should immediately notify your customers the second you find out about a breach. There is a balance- you need to have the right information, understand the scale and impact of the breach and provide those affected with what you are doing to rectify and what they can do to safeguard their privacy.

In summary, there are an increasingly number of lessons on how not to respond to a breach, don't be like Equifax and Uber are the ones to remember in 2017!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @cybersecstu! You have received a personal award!

1 Year on Steemit
Click on the badge to view your Board of Honor.

Do not miss the last post from @steemitboard!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @cybersecstu! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!