“Once you have paid him the Danegeld,” Rudyard Kipling once wrote, “you never get rid of the Dane.” However, you might be able to keep him quiet — or at least that’s what Uber apparently thought. Faced with a hack of its computer system that exposed the records of 57 million customers and 7 million drivers, the ride-sharing company decided to pay off the hackers to hush up the breach and keep everyone in the dark.
Oh, and did we mention that Uber was jousting with the New York and federal regulators at the time about data-privacy policies?
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Gee, I wonder what that did to the hacking market. Can anyone say “incentives”? I knew you could. Wouldn’t have been easier just to report the attack first and then have the FBI handle the ransom drop to help nab the hackers?
Uber insists that they didn’t get financial data, and also that the hackers deleted the data after the ransom payment. Both claims take leaps of faith to buy, but hackers got enough personal data to attempt to pry out the financials in other ways, especially of its drivers:
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.
Politico notes the timing of the breach and its juxtaposition with legal pressures on Uber:
Uber’s silence at the time of the digital break-in also raises eyebrows because it came just as the Silicon Valley stalwart was negotiating with the Federal Trade Commission over a complaint about the company’s handling of consumer data. Uber eventually settled with the FTC in August of this year, promising to implement a “comprehensive privacy program.”
The breach discovery also came shortly after Uber settled a lawsuit with the New York attorney general over its failure to judiciously disclose a 2014 breach.
The exposure of the cover-up already has regulators in the UK taking aim at Uber, where the firm already had struggled to operate:
Britain’s data protection authority said on Wednesday that concealment of the data breach raises “huge concerns” about Uber’s data policies and ethics.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the U.K. Information Commissioner’s Office, said in a statement. Current British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.
The state of New York has opened a new investigation into Uber’s actions, a spokesperson told CNBC, restarting a fight that Uber thought had finished last year. Australia and the Philippines have also begun probes into the company’s operations and data practices. It’s almost a sure bet that US federal regulators will do the same.
Consumers, meanwhile, face another round of uncertainty over their financial security. Uber claims that the hackers didn’t access credit card data within the system, but then again, Uber hasn’t exactly been forthcoming about data security of late, either. This follows on the heels of the Equifax breach, in which consumers were also kept in the dark for far too long while their personal information had been stolen. The Department of Justice has an open investigation into that hack underway, and the company booted its CEO after an avalanche of outrage — and they never paid off the hackers, at least as far as is known now.
Consumers didn’t have much leverage with Equifax, which services lenders and credit firms. They have plenty of leveage with Uber, though, and the blowback on this will likely be significant even without the heavy government pressure that’s about to descend on them around the world. If I were an executive with Lyft, I’d take this moment to double-check data security and then promote it like crazy over the next few weeks. If nothing else, they can opt for dramatic readings of “Danegeld” over headlines for this story. I’d suggest Patrick Stewart for the voice-over work.