Stop Us If You’ve Heard This Before...
Last week, Uber – the embattled ridesharing company - made public details regarding the compromise of personal user data dating back to October 2016. Information potentially leaked in the breach includes the email addresses, phone numbers, and names of approximately 57 million riders and drivers, including 600,000 drivers’ license numbers. There is one silver lining, however; according to Uber, no Social Security numbers, credit card information, trip location details or other data were taken.
According to Bloomberg, two hackers browsed Uber's GitHub account, a site used to store code and track projects. Embedded within source code was credentials for accessing Uber user data stored on an Amazon server. The hackers reached out to Uber asking for money in exchange for the release of the data.
At the time, Uber was settling two different lawsuits relating to the way the organization handled customer data, which led to Uber paying the hackers a ransom of over $100,000 to sign a non-disclosure agreement and allegedly delete the stolen data. The company had kept the hack, originally perpetrated in October 2016, under wraps until last week, when they fired the employees responsible (the chief security officer and one of his deputies).
Current Uber CEO Dara Khosrowshahi was reportedly informed of the breach in September 2017, shortly after taking the reins of the organization. Khosrowshahi immediately launched an investigation, and while the internal investigation took two months, Uber finally reported the breach to the public. Unfortunately, the damage had been done and covered up, despite the new Uber CEO’s attempt to change the way the beleaguered company does business.
What Can We Learn From These Breaches?
After the recent revelations regarding the breaches affecting internet giant Yahoo and credit bureau Equifax, the Uber announcement is the latest in an increasingly common pattern of large corporations reacting to breaches in a less than ideal manner. According to the Harvard Business Review, these corporations who are breached seem to repeat several common mistakes, among them delayed response and lack of transparency (Uber didn’t notify users until over a year after the breach and conspired to cover it up), poor customer service (no response is easily available on Uber’s main website or Twitter account), and failure to accept accountability (Uber has been breached before, in 2014). The recent responses by Uber, Yahoo, and Equifax seem to follow the same pattern.
If your organization suffers the unfortunate fate of being compromised by hackers, it is imperative that you have a plan to respond properly and disclose the breach to your customers. Companies that follow these steps have been much more successful in navigating the fallout from a breach and recovering their brand more quickly:
- Don’t drag your feet. Perform your investigation, determine what was stolen and the cause, and report the breach to your customers on a timely basis. Most states have a law that requires customer notification between 15 and 90 days, and the EU General Data Protection Regulation gives companies 72 hours. It’s only a matter of time before the US has a federal law setting stricter standards than exist today. Timely customer notification can prevent tremendous percentages of users from suffering identity theft.
- Perform good customer service. You lost your customers’ data; it is now your responsibility to do right by your customer, whatever it takes. If that means resetting user passwords en-masse, providing more than just 12 months of credit monitoring (and not asking your customers to waive your right to sue), or simply not trying to make a dollar off of the misfortune of your users, do it. Doing right by your customers will help win their trust back much more quickly.
- Be transparent. The majority of breaches release an initial number of users affected, but by the time all is said and done, the number is likely to increase significantly. Be truthful with your investigation, report the facts to the public, and provide regular updates. It’s also OK to say, “we don’t know at this time.” Just follow up when you do.
- Accept responsibility. The incident happened, and it happened on your watch. The world knows. Accept responsibility publicly and quickly, then begin to repair.
- Plan ahead. Don’t get caught by surprise. Be sure you have a good Incident Response Plan that can help you identify, protect, detect, respond, and recover from incidents before something bad happens to your organization. It’s not “if” something bad will happen, it’s “when.”
If you were personally affected by the Uber breach (or any other breach for that matter), please check out a few of our previous articles: Your Secret Information Is No Longer Secret for steps you can take to mitigate your identity theft risk and Equifax: Lessons Learned for some good business processes improvements to help prevent or respond to a breach.
Written by: Daniel Klosterman
Information Security Consultant - SBS CyberSecurity, LLC
- If your Incident Response Plan needs an update, but you’re not sure where to start or what to include, SBS can help. A good Incident Response Plan should not only help you identify the incidents that could potentially affect your organization and protect from those incidents upfront, but a good IRP should also help you detect an incident once it has occurred, contain and recover from the incident, and respond to the public. Learn more.
- If you were personally affected by the Uber breach (or any other breach for that matter), please check out a few of our previous articles: Your Secret Information Is No Longer Secret for steps you can take to mitigate your identity theft risk and Equifax: Lessons Learned for some good business processes improvements to help prevent or respond to a breach.
- SBS Password Tips - https://sbscyber.com/resources/the-password-is-dead-long-live-the-password
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.