MY TAKE: Why Uber’s flaunting of disclosure laws should ignite security regulations

Think it was a mere coincidence that Uber disclosed its catastrophic data breach late in the afternoon on the Tuesday before Thanksgiving?

Fat chance. Uber’s new CEO Dara Khosrowshahi almost certainly calculated the diminished notoriety to be gained by announcing the hack on the eve of the year’s most distraction-packed, four-day weekend.

Related article: The implications of Deloitte breach on heels of SEC, Equifax hacks

Uber discovered it had been breached 14 months ago, in October 2016. The ride-hailing pioneer has admitted losing personal information for 57 million customers (myself included) and 600,000 drivers.

(UPDATE. 6 am, Nov. 29, 2107. Uber has clarified that it lost personal information for about 50 million passengers and 7 million divers, some 600,000 U.S. drivers. That includes losing the driver’s license numbers for all 7 million drivers. On that basis, Washington Attorney General Bob Ferguson has filed a multimillion-dollar lawsuit against Uber. Under Washington’s data loss disclosure law, companies must notify victims of any loss of driver’s license numbers. “Washington law is clear, when a data breach puts people at risk, businesses must inform them,” Ferguson said, in announcing what he billed as a multimillion-dollar lawsuit. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”)

A lot of water has gone under the bridge in 14 months. Uber officials could not have missed the fireworks surrounding high-profile breach disclosures by Equifax, the U.S. Security and Exchange Commission, Deloitte, Yahoo, fast food chain Sonic and international law firm Appleby.

As those organizations bit the bullet, Uber took these steps behind closed doors:

•Paid the hackers $100,000 to delete the data and stay silent about the theft

•Head-hunted, recruited and hired a new CEO, namely Khaosrowshahi

•Tossed its chief security officer, Joe Sullivan, and his deputy, under the bus

Khaosrowshahi was recruited away from Expedia’s top post in September 2017; he deserves combat pay if he can resolve a bumper crop of crises arising under his predecessor, Uber co-founder Travis Kalanick, who was forced out as CEO last June.

Under Kalanick, Uber came under fire for misrepresenting consumer and driver information; trying to take advantage of a New York taxi drivers’ work stoppage; enabling gender discrimination and sexual harassment; and deceiving police about local law violations.

Judging from the controversies it has engendered in 2017 one might think ‘shooting-from-the-hip’ is part and parcel of Uber’s business model; helping hackers achieve a new type of an extortion payment certainly meets that parameter.

Leichter

The $100,000 Uber coughed up was not, by any means, a classic ransomware payoff. Instead it was more of “an attempt to pay hush money to keep a breach secret,” says Willy Leichter, vice president of marketing at, Virsec Systems, a supplier of application security systems. “Uber’s actions seem particularly naïve and desperate. Accepting a hacker’s assurance that stolen data will be destroyed is both stupid and illegal.”

Riders get nothing

While Uber shot from the hip, its customers’ and drivers’ stolen personal information circulated afresh in the cyber underground – for 14 months. We, the individual victims, were left ignorant of the data theft and thus were deprived of the opportunity to take steps to protect ourselves.

Khaosrowshahi said in his Thanksgiving eve statement that Uber will supply its drivers with free credit monitoring and identity theft protection. He announced nothing for Uber riders.

This type of undue consumer exposure, spawned by self-serving corporate decision making, is precisely what data loss disclosure laws were enacted to mitigate. California enacted the first data loss disclosure law in 2003, requiring companies and organizations that lose personal information to inform the individuals whose data has gone missing. Since then 46 other states have passed similar laws.

“Breach notification laws are clear and specific – any exposure of private customer data must be reported,’’ Leichter noted

Yet Uber brashly took 14 months to get around to disclosing its breach, making Equifax’s delayed disclosure  — the credit rating agency discovered hackers stole data for 143 million customers on July 29 and did not disclose it publicly until Sept. 7 — look laudable by comparison.

Rising regulations

A reckoning is coming. I believe it will take the form of more states moving to enact more prescriptive cybersecurity certification rules that require companies to meet state-enforced standards, along the lines of new regulations in New York and Colorado.

Corporations loathe regulation, that’s a given. Yet there seems to be no end in sight to the parade of high-profile breaches. That translates into a steadily rising threat to the core integrity of our Internet-centric systems.

Gunn

“For a regulation to be effective, it has to be logical and relevant, and those who compose the regulation need to fully engage the technology community,” opines John Gunn, chief marketing officer at Vasco Data Security. “It has to have some real teeth, and it must be enforced on a consistent basis. Without active enforcement and meaningful penalties, it can be more economical for companies to intentionally snub regulations as Uber appears to have done.”

That shift, I believe, is coming very soon, at least for U.S. companies dealing with Europe’s tough new rules on data protection, which go into effect in  2018 across the European Union. For the first time, companies will be required to notify regulatory authorities, and potentially consumers, in the event of a significant cyber breach.

The EU’s General Data Protection Regulation (GDPR) has teeth: stiff penalties and anticipated vigorous enforcement.

Something has got to give. In the meantime, I’m taking Lyft.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone