Lessons Learned From the Uber Data Breach

In November of last year, the ridesharing company Uber revealed that the personal information of 57 million users, many of whom are drivers in the United States, was stolen in a data breach in 2016. The company also admitted to paying the hacker responsible for the breach $100,000 to destroy the data that was stolen.

Uber customers and drivers were shocked to hear that the company kept a massive data breach secret for over a year. Many people criticized the way that the company handled the data breach and vowed to never work with or use Uber again. Some consumers may be turning their backs on Uber, but companies should pay close attention to Uber’s situation in order to learn from their mistakes. Here are some of the lessons learned from the Uber data breach:

The Cover Up is Worse Than the Crime

Companies typically announce that they have been affected by a data breach shortly after it occurs. However, Uber did not. Instead, the company chose to contact the hacker and pay him to keep the breach silent and destroy the data. By doing this, the company hoped that no one would ever find out the breach occurred. But, it’s hard to keep news of something of this size quiet for long in today’s world. It took a year for the data breach to come to light, but consumers were not happy that Uber tried to keep it hidden for so long. They were even more upset that the company paid the person who was responsible for illegally stealing the data.

There’s an old expression—the cover up is worse than the crime—that certainly applies in this case. Sure, if Uber had notified the public right away, consumers would have been annoyed that their data was breached. However, in consumers’ minds, keeping the breach a secret was worse than being breached in the first place.

Don’t Reward Hackers

Many people criticized Uber’s decision to pay the hacker responsible for the breach $100,000. By rewarding the hacker, Uber sent a message to other criminals that crime does pay. Hackers may realize that if they target certain companies and obtain a significant amount of data, they can ask the company to pay for their silence. This could encourage hackers to target other companies and increase the overall number of data breach incidents.

Companies should learn from this mistake made by Uber. Instead of rewarding hackers, companies should immediately alert authorities when they detect a data breach. Let the authorities investigate the breach, identify the hacker, and hold them accountable for their criminal behavior.

Honesty is Key

Not only did Uber pay the hacker responsible for the breach, but the company also lied about why the payment was made. Initially, Uber attempted to make it appear as if the hacker participated in a bug bounty program, which is when a tech company pays hacker to attack their networks to identify vulnerabilities. However, in this case, the hacker was not a participant in a bug bounty program. Uber went to great lengths to lie to the public about the data breach, and now they are in the midst of a public relations nightmare. This should teach other companies that honesty is crucial when dealing with the public after a data breach. If Uber had been honest from the beginning, the breach would not have done so much damage to their brand.

Comply With Regulations

Each state has its own laws that require companies to report certain data breaches. For example, companies in the state of Washington must promptly report a data breach to any consumers that may have been affected. If a company fails to comply with these regulations, they can face massive legal fines.  

Uber knew that it had a legal obligation to report the data breach that affected millions of consumers. However, it chose not to comply with these regulations. As a result, the company is now facing a number of lawsuits that could end up costing Uber millions. The city of Chicago, in addition to the attorney general in Washington, have already filed lawsuits against the company for their failure to notify consumers in a timely manner. There have also been several class action lawsuits filed by angry consumers affected by the breach.

If Uber had simply done what they were supposed to do, they wouldn’t be in this type of legal trouble.

Data Breaches Can Affect All Companies

Another lesson that everyone should learn from this incident is that data breaches can affect any company. Uber is a huge company with unlimited resources at their disposal. You would think that a company of this size would have done everything possible to protect their customers’ data, but unfortunately, whatever they did was not enough. If data at a company with vast resources can be breached, then data at companies of all sizes is at risk. It’s important for companies of all sizes in all industries to realize that they could be targeted by hackers.

The Link Between Security and Reputation

Companies should also realize that there is now a link between a company’s security and its reputation. If a company’s security is weak, their reputation will suffer as a result. Unfortunately, Uber learned this lesson the hard way.

There are a number of ways for companies to prevent data breaches. For starters, companies should work with an e-waste recycler that will destroy the data on old electronic devices so it can’t fall into the wrong hands. When you work with ERI, you can rest easy knowing that the data on all of your devices will be completely destroyed. For more information on recycling your electronics, or to request a quote for your company, contact us today.