In case you missed it, ride sharing company Uber has recently come under fire due to the circumstances surrounding a data breach that occurred in late 2016, but that the company didn’t publicly report until just last month (nearly an entire year later). The hackers behind the breach were able to access the personal information of 57 million users, including names, email addresses, phone numbers. Also stolen were 600,000 driver’s license numbers of Uber drivers. With yet another high profile brand making headlines, it’s time to ask once again, could a stronger cybersecurity strategy prevented this fiasco?
According to Uber CEO, Dara Khosrowshahi, two hackers broke into the company’s GitHub account, a third-party, cloud-based service that many companies use to store code. It was on this site that the hackers located the username and password they needed to access user data, which was stored on an Amazon server. Sadly, experts are saying the attack was not sophisticated, which means it could have been prevented had the company been more vigilant with its cybersecurity practices.
Where they went wrong
The breach itself isn’t what’s got Uber in hot water right now, although users and regulatory agencies are rightfully outraged. What’s most upsetting is that, rather than alerting users that their information had been compromised and notifying authorities of the breach (as is required by law), Uber instead handed over a $100,000 ransom to the hackers. According to Uber representatives, they were assured and therefore believed that in exchange for that payment, the data was destroyed.
The problem is, by failing to report the breach, not only were users placed in a precarious situation, having their personal information unknowingly in the hands of criminals, but the company also failed to act lawfully and in compliance with regulations. As a result, it’s likely that Uber will face consequences, both at the state and federal level.
Furthermore, when businesses choose to pay hackers what they demand, it only perpetuates the problem of cybercrime and encourages others to follow suit. Similar cybersecurity events occurred recently to well-known brands Netflix and HBO, however, neither of those organizations paid the ransom demanded.
A better solution
The bottom line is, what happened to Uber could easily happen to any business. And paying the ransom – even if it did result in the data being destroyed – didn’t address the actual problem, which is poor cybersecurity planning. Keeping usernames and passwords located on an easy-to-access platform like GitHub was mistake number one.
The second mistake Uber made was not having the right technology in place. For instance, had they employed automated incident response, they would have been alerted of the breach immediately and quite possibly could have avoided having to pay the ransom in the first place. And, thirdly, of course, was the company’s failure to notify appropriate parties. For that, they will likely pay much more than the original ransom amount and reputationally, the company may never quite recover.
Uber’s latest PR nightmare should serve as a reminder to business owners, board members and IT leaders across the globe. The question is no longer whether your company will get hacked, but rather when. Being prepared, leveraging technology and adhering to all state and federal regulations can help your business weather the storm and emerge unscathed on the other side.