Published on the 23/11/2017 | Written by Jonathan Cotton
It may be a year old hacking scandal but as Uber starts to come clean it just gets worse and worse…
In a seemingly endless string of public shamings for the beleaguered company, it’s been revealed that Uber paid hackers US$100,000 in hush money to bury a massive data breach.
Long story short, late in 2016 Uber was hacked with key information about both customers and drivers compromised.
Not much noteworthy there, but for the fact that Uber didn’t inform regulators of the event, instead paying the hackers a US$100,000 ransom to keep the breach secret.
And that breach was enormous, compromising the personal information of its 57 million users. That’s names, email addresses, and mobile phone numbers of customers (credit card numbers appear to have been spared) and names and license numbers of seven million drivers. (An estimated 14 percent of the Australian population use the ride-sharing service with an estimated 300,000 active users in the New Zealand market).
As news of the breach – and Uber’s staggeringly dishonest response – broke on Tuesday, newly minted CEO Dara Khosrowshahi got on the front foot to do some damage control, promising the company will be “honest and transparent” as they work to repair their past mistakes.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” soothed Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Is Khosrowshahi’s statement a sign the company is looking to change their duplicitous ways? Not likely. Sure, he’s dropping plenty of the right buzzwords – but failing to mention anything about a US$100,000 ransom payment.
Australia as well as the UK, the US and the Philippines have announced they are launching investigations into the breach as well as the company’s response.
Calling the incident “a timely reminder” to Australian businesses of the reputational value of good privacy practice and “the reputational risks that can follow mishandling of personal data”, the Australian Information and Privacy Commission says it’s currently conducting inquiries with Uber.
“I also remind organisations that the commencement of the Notifiable Data Breaches Scheme in February 2018, will require them to notify any individuals likely to be at risk of serious harm due to a data breach,” said the Commissioner. “Failure to do so could lead to the imposition of penalties provided for in the Privacy Act.”
So what – if anything – explains Uber’s radically unethical response to the breach? Even good companies can get hacked, that’s the nature of business in 2017. Good companies don’t cover it up though.
“In 2017, companies are judged more on the breach response than the breach itself,” commented Michael Sutton, CISO at Zscaler. “Yet again we’re receiving a lesson in how not to respond.”
“Uber, a company that had already exhibited questionable judgement on a number of occasions, chose to go to significant lengths to bury a data breach rather than protect their customers and drivers. Even after they had paid criminals to make their problems go away, they had no assurance that the compromised data couldn’t still be used….This response goes well beyond unprofessional behaviour all the way to gross negligence and will no doubt come with legal consequences.”
When Uber finds themselves in a hole it seems their first instinct is to keep digging. And to state the astonishingly obvious, this is not Uber’s first run-in with the moral dilemma. They’ve threatened journalists, endured mass sexual harassment-related firings, actively worked to deceive authorities, as well as a host of other vulgarities.
Uber is like that good friend that just can’t seem to a good decision, and as with that friend, eventually the time will arrive when a reasonable person’s only option is to cut ties for good.
Because it’s becoming increasingly apparent that Uber isn’t a good company, just a successful one, with this scandal simply the latest in a litany of outrageous behaviours from perhaps the most dysfunctional organisation to ever make the Fortune 500.
Of course the employees ‘responsible’ for the pay off – a chief security officer and a deputy – have been axed. But it would be a mistake to take comfort in that. A corporate willing to cut problematic staff in moments of trouble is neither unique nor particularly noble.
It would also be a mistake to think of this event in terms of it being just another of ‘Uber’s PR nightmares’. Because it’s more than that. It’s a crystal clear demonstration of the company’s contempt for, well, everyone.
And at this rate the time is rapidly approaching when we, as customers, will have to ask ourselves: At what point does the cost of cheap rides become too high?