Another day, another red-faced company reeling from the devastating publicity associated with a hack. Today’s debacle features Uber, and involves them admitting that sensitive personal information for over fifty million customers and over half of a million drivers was compromised in 2016. In addition to the licenses for their drivers, the thieves also absconded with the names, email addresses, and mobile phone numbers of the company’s customers.
Since the crown jewels of Uber’s data – credit card data, Social Security numbers, and trip history – were not believed to have been stolen, one might think that this hack is fairly mundane, or as mundane as a company losing millions of pieces of information can be in today’s massive-breach-a-day world we live in. However, what makes Uber’s particular headache less of a fender bender and more of a head-on collision is the fact that the company decided to keep the breach quiet for more than a year by paying the perpetrators $100,000 in hush money. Uber’s CEO released a statement explaining that they had obtained assurances from the thieves that the compromised data had been deleted. And while it should go without saying, it should be noted that trusting the integrity and trustworthiness of a cyber-criminal is not recommended by many cybersecurity experts.
And while paying criminals to remain silent is bad enough, not providing notice of a breach may be even worse. Many of the 48 states that have some type of data privacy regulations in place require that notification be made within a short period of time after a breach is believed to have occurred (e.g. Connecticut requires notification within 90 days). It wouldn’t be surprising if Uber may be experiencing surge pricing as state Attorney Generals race to get to their office to open an investigation into this breach.
While Uber explained that they have subsequently enhanced their cybersecurity defenses and that the individuals responsible for handling the breach response were terminated, the reputation and financial damage will no doubt affect Uber’s rating for many years to come.
For assistance with your company’s cybersecurity needs, including compliance with data security regulations, contact Citrin Cooperman’s Technology and Risk Advisory Consulting (TRAC) group at TRAC@citrincooperman.com