The term ‘reputational apocalypse’ has been used about the recent news of the Uber data breach cover-up. It’s no exaggeration. 57 million sets of customer and driver data were stolen back in 2016 including email addresses, names and phone numbers of customers and the license details of some 600,000 Uber drivers. But while the breach alone is damaging enough, what has escalated Uber’s reputational damage to an apocalyptic dimension is the manner in which they handled it.
Rather than follow correct procedures for reporting a breach, Uber’s executive team at the time allegedly decided to identify the hackers concerned and pay them $100,000 to provide assurances that the downloaded data had been destroyed. Going to considerable lengths to hide the loss of personal data from customers and staff, Uber’s C-suite might have thought they were avoiding the negative publicity other brand names have encountered during similar breaches. By taking a stance that was neither transparent nor informative, what they actually did was to damage the company’s reputation still further.
Thankfully, Uber’s new CEO recognised the seriousness of the situation when he arrived and has undertaken full disclosure. The 2016 breach followed on from a less serious breach in 2014 which Uber also failed to disclose. They were fined $20,000 on that occasion and may have considered, in the light of this modest fine, the risk of non-disclosure in 2016 was worth taking. It is not yet known what penalties will be imposed for the latest breach and its consequent cover up but it is likely the sums involved will be punitive.
Under the EU General Data Protection Regulation (GDPR) the fines for this type of breach will be even higher. After May 2018, when GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher). The intention behind the legislation, which is being enshrined into UK law through the new Data Protection Bill, is to prevent another Uber type breach.
For a start, if a breach does occur GDPR requires the organisation to investigate and inform victims within 72 hours. But GDPR is not simply about reporting times and fines. The essence of the legislation is for organisations to develop a more intelligent, data-centric approach to security. They will have to know exactly where their data resides, who can access it and how it is transferred. They will need to be clear about when and where data is encrypted and decrypted. They must be seen to understand the differences between the private versus public clouds and the cybersecurity threats specific to each. To be GDPR compliant will require many organisations to improve their data systems significantly. If they do not, they must be aware of their accountability.
Uber claimed that their ‘corporate systems and infrastructure’ were supplied by a ‘third party cloud-based service’ and that this service was the target of the breach. This is no excuse under current legislation and the responsibility of Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is made even clearer under GDPR. They have a responsibility to the people whose data they hold and it is never possible to outsource their accountability.
When it comes to CISOs, the buck really does stop here. But that does not mean that they should not be provided with expert professional support. SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.
For a no obligation chat, contact Mark Nordstrom.