Bates Research - 11-29-17
An Uber Cyber Breach
Another high-profile cyber breach was disclosed last week. Uber, the app-based transportation service, announced that, in 2016, hackers stole information including names, email addresses, phone numbers and driver’s license data, related to 57 million drivers and riders. This incident is significant, not only to underscore the vulnerabilities of data on the cloud and corporate servers, but also because it highlights the serious consequences of mismanaging what is becoming an all-too-frequent occurrence.
Bates has been following several unique cyber incidents, specifically, the breaches of the Equifax credit reporting agency and the SEC’s own EDGAR system for corporate filings. These breaches highlight the vulnerability of data systems within different types of organizations (government and private enterprises) as well as the risks involved putting massive amounts of personal information in jeopardy.
Cyber-crime against corporations like Uber is not new. It has been predicted that, by 2019, a business will fall victim to a ransomware attack every 14 seconds. Despite widespread knowledge of frequent attacks, as well as demand by political and regulatory officials for more education and fluency on cybersecurity at all management levels, (and not just within IT departments), industry commentators have remarked that some corporate executives lag behind in their implementation of effective counter measures and in taking responsibility for their cybersecurity. The Uber announcement presents the risks faced by such companies whose data has been breached. And the attention this case is getting may force executives to consider not just their legal obligations to disclose, but their ethical obligations as well.
According to reporting by Bloomberg and Wired, two attackers accessed a private code-sharing site used by Uber software engineers which contained the engineers’ usernames and passwords, allowing them privileged access to Uber’s network. From there, the attackers “then accessed data stored on an Amazon Web Services account that handled computing tasks for the company.” After finding a trove of data on riders and drivers on the Amazon-hosted servers, the hackers then emailed Uber demanding money. Uber responded to the ransom demands by paying the hackers $100,000 to delete the information, but then failed to reveal the breach to authorities or users for nearly a year.
Last Tuesday, the data breach was made public on Uber’s online news room. New CEO Dara Khosrowshahi stated: "None of this should have happened, and I will not make excuses for it. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Mr. Khosrowshahi revealed that former CEO Travis Kalanick, who had been forced to resign in June under pressure from investors, knew of the breach. He admitted that Uber was obliged by state and federal law to report the hack of driver’s license information and failed to do so. “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals…We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” he said. Mr. Khosrowshahi reportedly fired Uber’s chief security officer and his deputy for the cover up.
The fallout from the handling of the Uber breach is far reaching. The Wall Street Journal reports that the attorneys general of New York, Missouri, Massachusetts, Connecticut and Illinois have all launched investigations. Three class actions have been filed by drivers and customers alleging negligence for “failing to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The US Federal Trade Commission (“FTC”) stated it was “closely evaluating the serious issues raised.” Additionally, there are reported rumblings among Senators to hold hearings. In response, Uber issued the following statement: “We’ve been in touch with several attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward.”
The issue has been taken up internationally as well. In Mexico, the National Institute of Transparency, Access to Information and Protection of Personal Data announced it will seek to determine how many of the country’s citizens had been affected. In England, the Information Commissioner’s Office (ICO) has warned Uber it could face fines as a result of the breach. It was reported that European Union regulators could create a task force to coordinate investigations of the breach. Reuters also reported that there were investigations initiated by regulators in Japan, Australia, Italy and the Philippines.
Bates Research has been covering efforts to address broad cyber security questions. The Uber breach suggests a whole new level of reputational damage that results from inadequate cyber security and policies and procedures following a breach. Bates looks forward to continue our coverage on this subject.
Learn & Earn CLE with Bates Group:
Bates expert Shane Shook will join Cadwalader, Wickersham & Taft LLP in discussing the current state of play in cyber security at a complimentary CLE webinar on Thursday, November 30, 2017 at 12 pm ET. Details and registration information can be found here.