Recently, the US Department of Justice announced it had reached a non-prosecution agreement with Uber, following a criminal investigation into Uber’s 2016 data breach.
The breach of unprotected (unencrypted) data made headlines at the time as it involved the theft of approximately 57 million customer records. While it was dwarfed by massive breaches at River City Media, Spambot and Equifax around the same time, it was notable for three specific reasons: First, Uber attempted to conceal the privacy breach for over year. Second, they paid the hackers $100,000 to delete the data and keep quiet about it. Finally, it led to the firing of the CSO and another high-ranking executive.
The fallout from the breach didn’t end there. At the time, Uber was already in talks with regulators over a previous claims of privacy breaches. Following the breach, Uber was also sued for negligence as part of a proposed class action. Plus, in January of 2016, the New York attorney general had fined Uber for failing to promptly notify the authorities of a previous breach in 2014.
Understandably, Uber came in for some heavy criticism at the time. The customer privacy breach, and failure to disclose it, were at the core of the criminal investigation. Had the data been encrypted, there would have been no privacy breach and the data breach itself may not have qualified for notification.
In a Thales blog from November 2017, Jason Hart – then CTO for Data Protection at Gemalto noted:
Three things should have been done better with regard to the Uber data breach: faster disclosure, better use of encryption for the entire data lifecycle, and the use of access management including strong multi-factor authentication.
Delay in disclosing erodes trust, and it belies the fact that breaches like this that access your data via cloud services are inevitable. The goal should not be to hide these breaches or even prevent them. It should be to make them secure breaches by taking a more intelligent, data-centric approach to security. This means knowing exactly where your valuable data resides, who has access to it, how it is transferred, and when and where it is encrypted and decrypted. All that needed to be done here was to secure access to the data and encrypt it; it’s what other organizations need to do in the future to avoid this.
The investigation ended in late July 2022, when the authorities reached a non-prosecution agreement with Uber. Several factors were cited in reaching the agreement, and it must be acknowledged that the incoming CEO, Dara Khosrowshahi, deserves credit for the way the breach incident has been subsequently handled. Following a prompt disclosure of the breach to regulators and users alike, Uber has invested significantly in improving its data security infrastructure.
Trust nothing, encrypt everything
We have been highlighting the potential costs of a data breach for many years. The Uber incident is possibly unique because it exemplifies every potential negative outcome – financial penalties, a loss of reputation, extensive remediation costs and civil litigation.
Little seems to have changed over the past 5 years. Organisations around the world continue to suffer devastating data breaches, despite the rise in popularity of terms such as “zero trust architecture”. If your data is to remain protected, both at rest and in motion, zero trust needs to be more than just a buzz word.