In the past year, Uber has been driving down some extremely dangerous privacy roads. On Tuesday, Uber announced to the public, that more than one year ago, that it had taken a very serious detour from the rules of the law, that it was the victim of a massive data breach that affected 57 million customers, both drivers and riders.
Breaking Down the October 2016 Data Breach
Uber has announced that the information stolen by hackers included 600,000 customers’ names, e-mail addresses, phone numbers, and driver’s license numbers. The company also indicated that no social security numbers, credit card information, and trip location information were taken.
The breach took place through a private GitHub coding site. When developers create something, e.g. a mobile app, they make constant changes to the code, releasing new versions up to and after the first official (non-beta) release. Version control systems keep these revisions straight, storing the modifications in a central repository. This allows developers to easily collaborate, as they can download a new version of the software, make changes, and upload the newest revision. Every developer can see these new changes, download them, and contribute.
The two attackers accessed a private GitHub used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. At that point, hackers discovered an archive of driver and rider information. Eventually, they emailed Uber asking for $100,000.00, to which Uber paid. Uber then had the hackers sign non-disclosure agreements (”NDA”), promising not to publicize this attack. If that isn’t alarming enough, Uber then recorded its ransom payment as a “bug bounty,” a payment that tech companies give to “white hat” hackers in exchange for the hacking and exploiting any software bugs and holes in its security systems.
Does Uber’s Ransom Payment Send the Wrong Message to Consumers and Hackers?
Those in the security and tech industry have pondered about whether Uber’s decision to give into the hackers’ demands by paying the $100,000 ransom sends the wrong message to other black-hatters. While Uber claims the attackers deleted their “only” copy of the stolen data, this is under the assumption that the data hasn’t already been shared and distributed to other third parties.
What’s interesting is that Uber took it a step further and actually tracked down the hackers and had them sign a non-disclosure agreement to legally bind them to secrecy. The question that remains is whether the NDA is enforceable as against these attackers in the event they choose to violate it (assuming they haven’t already).
Uber’s History of Legal Trouble and the Cyber-Insanity Argument
Since the company’s founding in 2009, Uber has been the subject of at least five (5) criminal probes into sexual harassment, potential bribes, illicit software, illegal monitoring, questionable pricing schemes, and theft of a competitor’s intellectual property. The most alarming path of Uber’s departure from the rules of the road is the length to which it went in ensuring this breach was concealed and hidden from the public. Whether it was inheriting his predecessor’s prior privacy violations or the risk of losing his newly appointed position, Khosrowshahi went through great lengths to ensure this detour stayed internal.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” —Dara Khosrowshahi, Chief Executive Officer
Following the disclosure, Uber indicated that there were no SSN’s, Credit Card information, Driver’s License numbers, and trip location information taken. Yet, as credit card information is the key to utilizing the Uber application, it is very hard to believe that this information was not in any way exposed, shared, and/or distributed. For those Uber customers, to have a valid account, an individual is required to connect or link their bank’s routing number and account numbers to the application for funds to come in and out, depending upon whether the individual is a driver or rider.
Insanity—doing the same thing over again and expecting different results. Add “cyber” to that and you have the past year’s worth of conduct that Uber has repeatedly engaged in, hoping that it will either succeed or be able to serve as an exception to the regulations implemented by the FTC.
Was Uber’s Disclosure One Year Too Long?
While Uber disclosed the data breach one year later, it will still attempt to claim protection under California Civil Code 1798.29(a) and 1798.82(a), requiring disclosure and notification of a data breach to an agency and individuals. In 2002, California became the first state in the U.S. to require notification of security breaches. Since 2002, forty-six (46) of fifty (50) U.S. states have passed laws requiring disclosure, but the laws vary in terms of when and how notice must be given, and most states allow for delays to investigate the intrusion.
While investigations into breaches can take weeks and even months, Uber’s decision to withhold the information for over a year is up for debate—as the company took steps beyond investigating to cover up the breach and its enormous expense of paying the ransom.
Since Uber’s disclosure on Tuesday, New York Attorney General, Eric Schneiderman, launched an investigation into the data breach.
Uber Faces Two Lawsuits in Negligence
Since Tuesday’s disclosure, Uber has been hit with two (2) lawsuits in negligence—in both cases, the Plaintiffs say the company failed to secure the data of its 50 million customers and 7 million drivers as well as paying $100,000 to delete the stolen data and keep news of the breach quiet.
The first lawsuit, Alejandro Flores v. Raiser, filed on Tuesday in federal court in Los Angeles, described Uber’s conduct as “grossly negligent” and added that the company “departed from all reasonable standards of care.” Defendant, Raiser, is a subsidiary of Uber that contracts with drivers.
The second lawsuit, filed on Wednesday in federal court in San Francisco on behalf of two people in South Carolina, Danyelle Townsend and Ken Tew v. Uber allege that the company should have had “administrative, physical, and technical safeguards, such as intrusion detection processes that detect data breaches in a timely manner, to protect and secure Plaintiffs’ and Nationwide Class members’ [personally identifiable information].”
Like Equifax, Uber is also providing affected drivers with free credit monitoring and identity theft protection. For those individuals concerned on whether or not they have been affected, it is always beneficial to:
- Change email addresses
- Check bank statements
- Request new credit card numbers and/or debit card numbers to re-link to Uber accounts.
For more information on the pending lawsuits against Uber, you can follow the cases here:
Andrew Rossow is a Contributor for The Huff Post and an Internet Attorney in Dayton, Ohio. To stay updated on Rossow’s publications, please follow his #CYBERBYTE on Twitter at @RossowEsq and his official FB page at @drossowlaw.