Late last year taxi-app company Uber was hit with a huge data breach that saw the personal information of 57 million users around the world held to ransom by hackers, including that of nearly 3 million of the company’s customers and drivers in the United Kingdom. If that wasn’t bad enough, the company chose not to let anyone know about it, only making the breach public after journalists at Bloomberg broke the story.
The stolen data included customer names, e-mail addresses, and mobile phone numbers. So far, Uber’s forensics experts have not seen any indication that trip location history, credit card and bank account details, Social Security Numbers, or dates of birth were downloaded.
In itself, the data may be useless, as it contains no financial information. But that’s not the point: Uber was unable to keep it secure. And instead of coming clean, it tried to bury the bad news—and did so for over a year.
Uber has said that when it discovered the hack, it took “immediate steps” to secure the data, shut down further unauthorised access, and “obtain assurances” that the downloaded data had been destroyed (and the story kept silent) by paying the hackers off with U.S.$100,000—a move orchestrated by its recently ousted chief executive, Travis Kalanick, and one which has been roundly criticised.
Uber says that it has since implemented security measures to restrict access to and strengthen controls on its third-party administered cloud-based storage accounts, which is where the breach took place. No word, however, as to why it failed to notify anyone—regulators, data authorities, customers, or drivers—about the incident.
In a statement released on 21 November, Uber CEO Dara Khosrowshahi raised the point himself. “You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.” Khosrowshahi declined, however, to share the reasons as to why the company took a year to notify anybody about the breach; instead, he listed the corrective actions that the company has taken—and others it intends to take—to avoid another, similar disaster.
These include sacking the two individuals who led the company’s initial response to the hack (including the Uber’s chief security officer); reviewing the company’s security processes; notifying those drivers whose driver’s license numbers were downloaded, and providing them with free credit monitoring and identity theft protection; notifying regulatory authorities; and—although the company “has not seen evidence of fraud or misuse tied to the incident”—monitoring the affected accounts and flagging them for additional fraud protection.
“Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.”
Information Commissioner’s Office
More generally, Khosrowshahi said that Uber was “changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber has previous form for keeping quiet about data hacks. In January, it was fined U.S.$20,000 for failing to disclose a considerably less serious breach in 2014. Such tactics will not be tolerated come 25 May 2018 when the EU’s General Data Protection Regulation (GDPR) takes effect. Among other duties, the new rules require companies to report breaches within 72-hours of detection. Failure to comply with the new regime runs the risk of a maximum fine worth either €20 million (U.S.$23.5 million), or 4 percent of global revenue—whichever is greater (and more punitive) depending on the severity of the event. The proposed U.S. Data Security and Breach Notification Act also hopes to impose similarly harsh penalties. For example, anyone convicted of “intentionally and willfully” concealing a data breach could expect fines and/or up to five years imprisonment if the legislation is passed.
This is not the first scrape that Uber has had to contend with, as effective corporate governance does seem to be lacking at the company. Shortly after taking over in September, Khosrowshahi warned employees to brace themselves for a painful six months. The company reportedly faces at least five criminal probes from the U.S. Department of Justice, with U.S. officials looking into incidences of possible bribes, illicit software, questionable pricing schemes, and theft of a competitor’s intellectual property.
The company has also had its troubles in the United Kingdom. It lost its licence to operate in London in September and in Sheffield in December. Other cities, such as Cambridge, are reviewing them. In November, it lost an employment tribunal case over the company’s assertion that it did not employ drivers: rather, they worked on a freelance basis and thus had no rights to holiday or sick pay. The legal decision is likely to increase Uber’s overheads, and possibly make it less competitive.
The U.K.’s privacy watchdog has so far been unimpressed with Uber’s late disclosure, and the subsequent lack of detail about what happened, when, and to whom. In a series of statements, the Information Commissioner’s Office (ICO)—the U.K.’s data protection regulator—said: “Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.” It also warned that “deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
The ICO, which is investigating the breach, added that “on its own this information is unlikely to pose a direct threat to citizens. However, its use may make other scams, such as bogus e-mails or calls, appear more credible. As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”
Hack highlights app security flaws
Some IT experts are surprised at the scale of the breach at Uber, and the apparent ease at which it happened, which should be a warning to compliance professionals. Andrew Foxcroft, regional director for network and application security specialist Radware’s U.K., Irish, and Nordic division, believes that the hack “wasn’t very sophisticated” and that “it really didn’t take much to get the data.”
“It would seem that the team developing the apps were sloppy in their processes and that security which should be integral to design of the app was an after thought,” says Foxcroft.
He adds, however that Uber was in good company since “around half of companies developing apps admit their software development and software operations (DevOps) initiatives don’t include security in design.”
Foxcroft says that Uber’s problems have been compounded by the payment of a ransom, which—he warns compliance professionals—makes no difference to the hackers. “They will take the money and do damage anyway, and because they know you will pay up, they will try and extort even more money by saying they will cause even more damage.”
Under the U.K.’s Data Protection Act, which is in place until the GDPR takes over, the ICO has the power to fine Uber up to £500,000 (U.S.$665,900) for its failure to comply with its duties as a data controller under Principle 7 of the legislation. This states that “appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Any financial penalty has the possibility of being reduced by 20 percent if payment is made within 28 days.
Besides the threat of a fine, other regulatory action that the ICO could take includes criminal prosecution, non-criminal enforcement, and audit. Where there has been a breach of the Data Protection Act, the ICO can also serve enforcement notices and “stop now” orders that require organisations to take (or refrain from taking) specified steps to ensure compliance with the law. Senior managers and directors could also face criminal prosecution charges if they consented or connived in the offence, or if it was attributable to their neglect (though under the GDPR there is no liability of officers).
While much attention has focused on the fact that Uber did not notify national data authorities about the breach, however, lawyers say that there is currently no legal requirement in the United Kingdom for it to do so. Helen Davenport, director at law firm Gowling WLG, says that it is not mandatory for data controllers to notify data breaches to the ICO unless they are “providers of public electronic communications services,” such as an internet services provider or telephone company. However, she adds, if there are grounds for the ICO to issue a financial penalty under the Data Protection Act, the Information Commissioner will take into account factors such as the steps that Uber took once it was aware of the breach, and she highlights the regulator’s warning that “deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Steve Kuncewicz, partner and cyber-liability expert at BLM Law, says that although there is no legal obligation under the Data Protection Act to notify the ICO of a data breach, “this breach did fall well within the Commissioner’s criteria for the type of breach that ought to be notified to them simply because of the huge numbers of people affected.” As a result, he says, it is “unsurprising that the ICO has since stated that Uber should have notified them post-breach.”
Others are unsure whether Uber has actually breached the law: Rather, it is simply guilty of bad practice. Andrew Hartshorn, partner in the information law team at law firm Shakespeare Martineau, points out that while it has been widely acknowledged that Uber was subject to a hack, as of yet the company has not been accused of being in breach of current data protection legislation.
“Even organisations with the most stringent data security protection can be the subject of a cyber-attack and, reputationally at least, they are likely to be judged on the way they manage the situation,” he says. However, he concedes that Uber is unlikely to win any plaudits on that score given the length of time the company took to inform the ICO that private customer data had been compromised.
More widely, Hartshorn says that other countries could take regulatory action against Uber if there has been cross-border processing, and/or the breach concerns data subjects in other jurisdictions. “It's important to recognise that this was a global data breach and the consequences could extend beyond the United Kingdom. Uber is likely to be subject to regulatory action in every territory it operates in and where people have been impacted by the breach,” he says.
Already, information commissioners from across the European Union are investigating the breach as part of the Article 29 Cross-European Working Party, an EU-wide advisory body that provides guidance on data privacy matters. As Uber’s European headquarters is located in the Netherlands, the Dutch authorities are leading this investigation. This would also be the case under the GDPR when it comes into effect: any investigation—and any final decision—would be led by the data protection authority based in the country where the business has its European headquarters and other local and national supervising authorities would join in.
The presumption that Uber would face an eye-popping fine had this incident occurred following the introduction of the GDPR next year is also debatable. Kuncewicz says the size of any fine under the GDPR, which is regarded as having tougher sanctions than the current U.K. regime, “would depend on exactly what information was taken, how it was taken, and whether reasonable steps to protect users’ data had been taken beforehand, as well as the effect of the breach upon the interests and rights of those affected.”
Lawyers agree on one point, however: While data may not always be able to be protected from determined hackers, a company’s failure to notify authorities or the public about any hack it has uncovered is likely to meet with enforcement action in future.