It should be no surprise that another large company has been hacked. Most Cyber Security professionals will tell you it’s not a matter of if, but when your organization will suffer a breach. It has recently come to light that ride sharing giant Uber suffered such a breach in 2016. If the fact that 57 million users had their data stolen isn’t shocking enough, the shocking part is Uber tried to hide the breach by paying hackers $100,000 to delete this data and keep the incident quiet. According to a Forbes article on the breach, Uber is “a shady company that does shady things.” They explain “Uber’s security leaders took the actions they did because: a) they expected to get away with it, b) it aligned with Uber’s corporate culture, and c) it followed the pattern of how Uber handled issues.” Yikes!
As a result of these latest developments, Uber is now facing some serious legal issues. Lawsuits are starting to pile up on Uber, everything from class action suits to the Washington State Attorney General filling a consumer protection lawsuit against the company. According to state law, Washington residents must be notified within 45 days of the breach, and the Attorney general must also be notified within 45 days. At over a year since the breach, Uber is clearly in violation.
In addition to the lawsuits, some high-profile firings have also come about. “Former CISO Joe Sullivan, who spearheaded incident response, and his deputy have both been fired for mishandling the hack.” A new CEO, Dara Khosrowshahi, is now tasked with handling the breach, and with improving security measures at the company. Khosrowshahi has said "we will learn from our mistakes" and "we are changing the way we do business."
From what we have seen in the news so far, everything that Uber has done is the wrong way to handle a breach. So far, the fall out has been a decline in consumer trust and law suits, with many more to come. So, what should your organization do in the event of a breach?
Most consumers are far more concerned with how a breach is handled vs. the fact that one occurred. According to an article in Entrprenuer.com, transparency is key if you want to maintain trust with consumers: “If you make a mistake, admit to it. If you have some bad news, reveal it in full. The more open and honest you are about what happens behind the scenes of your company, the more people will be able to trust you -- even if everything you say isn’t 100 percent positive.” In addition, companies need to build a breach response plan to prepare for a breach, and prepare for the response after the fact. A company that knows how it secures its data, what may be vulnerable, and is aware of a breach right away, tends to have more credibility with consumers. Breach Readiness as a Service (BRaaS) is a new service available from Uzado, which can also help a business prepare for a breach. “Uzado's BRaaS offers customers a proven proactive approach in preparation for a breach. Uzado will work with organizations to set up policies and procedures, form response teams where individuals will be assigned specific roles, establish the required channels of communications, and much more.”
Dave Millier wrote Breached: A Cautionary Tale of Cybersecurity and Intrigue in 2015 based on his observations from many years of IT security consulting. Seeing all the mistakes made by businesses in dealing with security, he foresaw the coming vulnerabilities inherent in our mobile app dependent world. The story of Breached revolves around a trendy brew pub’s app that gets hacked, how the company struggles with how to handle the situation and how to prevent something similar in the future. Fast forward to today, and we are dealing with an app that not only suffered a breach, but tried to cover it up! Real life really does imitate fiction! Despite how quickly technology evolves, Millier’s book is still a must read for executives who want to prevent an Uber disaster.