An Australian tech entrepreneur has blasted Uber’s alleged payment of a ransom to keep the theft of the private data of 57 million users from being revealed.
Last month, Uber chief Dara Khosrowshahi admitted that millions of user data had been exposed, some 13 months after the breach occurred in October 2016. Khosrowshahi, who only took the reins at the ridesharing company in September, announced two employees responsible for the incident response had been fired.
Meanwhile, the two people responsible for the breach were reportedly paid off $US100,000 to delete the data, which included the names, email addresses and phone numbers of 50 million riders and 7 million drivers around the world.
Mailguard founder and chief Craig McDonald said Wednesday that the payment was a mistake, as it would permanently make Uber a prime target for hackers.
“Now it’s public knowledge that Uber pays ransoms, every gangster syndicate, and two-bit hacker on the internet will be looking to take a piece of them,” the security expert said.
“In a world where criminals can hold a company to ransom just by infiltrating their email inboxes, paying a ransom is the final mistake in a pattern of mismanagement… Uber thought they were buying themselves out of a bad situation but actually their ransom payment has secured their position on the international cybercriminal hit-list.”
McDonald said that while it might be embarrassing for businesses to admit to breaches, transparency was crucial in recovering from such incidents.
“Uber’s leadership exacerbated the problem by trying to hide it from their customers and the public,” he said.
“By attempting to keep their data breach secret, Uber simultaneously empowered the criminals, betrayed the trust of their customers and irrevocably damaged their reputation with the public at large.”
Murdoch University business professor Gary Martin said an organisation’s culture had a huge impact on its ability to fight cybercrime.
“Culture is very much the responsibility of the CEO and the C-suite… Until there is a lot more discussion and sharing, cybersecurity challenges will not only prevail; they will escalate. We need much more open dialogue about cybersecurity,” he said.
The warnings about corporate transparency come as Australia is set to enact, in February, the Notifiable Data Breaches (NDB) scheme, which will make it compulsory for corporates to disclose data leakages. The European Union is bringing in similar rules in May.
“Uber isn’t the only and won’t be the last company to hide a data breach or cyberattack,” said James Lyne, advisor at cybersecurity firm Sophos.
“Not notifying consumers puts them at greater risk of being victimised with fraud. It’s for precisely this reason that many countries are driving to regulations with mandatory breach disclosure.”
McDonald said Uber’s deliberate cover-up would see it suffer “financial damage” for years to come.
“There will, eventually, be a specific number that can be attached to Uber’s legal costs fighting this case in the US courts, but that bill will probably keep adding up for years to come. Even when the litigation is over, Uber will be bearing the stigma of bad publicity that comes from a scandal like this for years,” he said.
“Uber failed to realise that by paying their attackers a hundred thousand dollars to keep quiet, they were actually setting the fuse on a scandal that has the potential to cost them billions in collateral damage.”