Uber, GDPR and the Business of Blackmail

Matti Suominen

November 23, 2017 at 10:14

On Tuesday November 21, 2017 Uber revealed that they have faced a data breach during 2016 but failed to disclose the event initially. Data of 57 million users and over 600,000 drivers was affected in the breach as reported by Uber themselves. The company admits that instead of disclosing the event publicly at the time, it agreed to pay the hackers $100,000 in exchange for deleting the data and not disclosing the event.

Uber CEO Dara Khosrowshahi posted a statement from Uber’s point of view and discussed the background and follow-up for the incident.

Uber

The Uber case in a nutshell:

  • The individuals who handled the follow-up on Uber’s side have been fired due to this incident
  • Media is mostly focusing on Uber’s cover-up rather than the initial incident, showing  the company in worse light than if it had been a typical data breach case
  • The follow-up and investigation on Uber’s side likely ended up costing significant amount of money and will likely continue to do so in the future as well
  • Uber is now taking all the actions it should have taken when the incident originally happened
  • If this had this been within the scope of GDPR during next year, we would  likely be talking about legal action next with the cover-up as an aggravating circumstance

The incident comes at a time when Europe is slowly but surely approaching the point where GDPR enforcement starts at the end of May, 2018. While this event happened in the United States, it is easy to imagine that exactly the same thing could happen in the EU. There are no fundamental differences as far as criminal activity goes and there are many similar companies which could be hit by a similar attack. Hacking is a global phenomenon that easily crosses borders and jurisdictions without any additional cost or extra effort for the attacker.

The question of whether such events should be made public or not is worth considering.

These events highlight that a concerning new weapon is available to attackers. As the cost of a breach through potential consequences grows with the GDPR enforcement, criminals now have more leverage towards their victims. The victim may be more willing to pay a ransom to cover up an incident rather than taking the risk of potential consequences. If the ransom is reasonable compared to the perceived cost that follows from reporting the breach, criminals may see a market for these types of attacks and offer such an option to victims.

It is important to understand the rationale behind GDPR. While the goal of GDPR is to protect the individual first and foremost, it’s also understood and accepted that incidents do happen. Because of this, the processes built in to GDPR regarding breach notice is designed to limit the damage. Fast notice, collaboration with authorities and decisive follow-up actions all focus on minimizing the impact on individuals who are affected by the breach.

GDPR is very clear on the topic and provides requirements on how and when the disclosure needs to happen. The focus is on potential harm facing the individuals who are potentially impacted by the breach. It is also clear that attempts at circumventing the law and avoiding bad PR by covering up the incident will be taken into account when considering potential repercussions and penalties. This is true both in the court of law and the court of public opinion – Now there is more discussion about the fact that Uber covered this up than what happened in the first place.

Key takeaways for companies that are considering their strategy on handling data breaches:

  1. First and foremost, ensure a reasonable level of security across the organization to avoid most data breaches in the first place – this is by far the most cost-effective method and the only one that really prevents the consequences
  2. Ensure that there is a process for reporting data breaches within the company that reaches the right people and is in line with the ethical code of conduct of the company
  3. If data breaches happen, be transparent about it in the first place and make efforts to repair damage to the company reputation through decisive and effective follow-up actions
  4. Establish a clear policy on how to handle ransom situations and ensure that it is communicated to relevant stakeholders within the company
  5. Co-operating with the criminals in such cases offers no guarantees that the incident won’t re-surface, either immediately or in the future

Something that is easily lost in the noise with all the reporting but should be the primary lesson from this event. The incident is reported to have been the result of relatively low-effort attacks that should never have happened in the first place if proper security measures had been in place. Ensuring a reasonable security baseline within companies should be one of the first steps towards protecting both the company itself and the data of individuals. While the level of sophistication in attacks is constantly going up, it’s also true that majority of the breaches we read about in the news were carried out through simple attacks that could have easily been prevented.

Related blogs