Uber hid 2016 cyberattack affected 57 million Uber customers and drivers: five lessons for every business

Ride-sharing service Uber recently disclosed that it suffered a massive cyberattack in October 2017, in which personal information of some 50 million customers and 7 million drivers was stolen.  Uber has come in for harsh criticism over its response to this attack, including not disclosing it, paying $100,000 in “ransom” to the hackers to delete the stolen data, for not encrypting the data, not complying with state customer notification laws or federal consumer protection laws.

How the breach happened

In October 2016 two hackers got access to Uber’s GitHub account, a site many companies use to store code and track projects. Once in that account, the hackers found the username and password to access Uber data stored in Uber’s Amazon Web Services account, and downloaded personal data, including names, email addresses, and phone number of some 50 million Uber customers. They also downloaded some driver’s license numbers of seven million Uber drivers, including 600,000 in the U.S.

How Uber responded

Uber responded to the breach by agreeing to the hackers’ demand to pay $100,000 in ransom, a step that many experts say companies should not do, as it only encourages continued hacking.  Uber claims that it received assurances from the hackers to delete the data and keep the incident quiet, but since these are criminals, those assurances may not be worth very much.

Uber delayed reporting and disclosing the breach for months, which may be a violation of state laws requiring notification of customers, and Federal Trade Commission regulations that aim to protect consumers.  These violations could open Uber to substantial fines and penalties (Uber has already paid a $20 million fine earlier this year to the FTC in connection with misrepresenting to its driver how much income they could earn driving for the company). Several state attorneys general as well as regulators in other countries where Uber customers’ data was stolen, including the UK, Australia, and Italy, are also investigating. Several lawsuits have already been filed on behalf of Uber customers. In addition, two senior executives of Uber, including its director of security, were terminated.

This is not the first time Uber has been hacked; in 2014 hackers stole the data of 100,000 drivers.  In August of this year (that’s right, after the latest cyberattack) Uber settled an investigation with the FTC by agreeing not to misrepresent how it protects customer data, put better security measures in place, and submit to an audit every two years for the next twenty years to ensure that the program was in place and effective.  Obviously, none of that worked.

Lessons for your business

 Usually only cyberattacks against large companies make the news, but any size business is vulnerable; companies with as few as five employees have been hacked. Uber’s mishandling of this incident, however, offers lessons for any business:

• Incident response: if you discover your business has been hacked, you should first figure out how it happened and what has been effected, so that you can stop it from continuing. At that point, you need to look at your obligations to notify customers, law enforcement, and other government regulators.  The sooner you notify them the lower your potential liability and reputational damage.  On top of Uber’s other bad publicity over the past couple of years, this doesn’t help. The cover up is always more damaging than the original act.
• Encryption: encrypt sensitive company and customer data, both in transit and “at rest”, even if held by a third-party service. Encryption is not expensive, and encrypting data can relieve you of customer notification obligations under the laws of most states, including Colorado.
• Backup of data: you should back up data in real time using secure off-site services. That way, if hackers steal or freeze your data, you can recover it from the backup.
• Don’t pay off the bad guys: be careful about paying a ransom to hackers. While it is not illegal to do so, you can’t trust them to release or delete the data, and making payment only encourages them, and other hackers, to keep up the attacks.
• Using independent software developers: if you use outside software developers, make sure they are using best practices to protect your data, including not leaving login information visible to hackers

These are just a few of the things any company can do to protect itself from hackers.  As you can see, not all of the preventive measures are IT fixes; good cybersecurity is an enterprise-wide issue, and involves people, processes and procedures, and training, as well as technical measures.

If you want to know more about protecting your company from hackers, please contact Mark Spitz at mark@spitzlegalcounsel.com or 720-575-0440.