The scandal engulfing Uber and its cyber breach could have serious and long-lasting ramifications for the business, with users and regulators alike baying for blood.
By now you have probably heard the news about a massive cyber attack against the ridesharing platform. Reports suggest as many as 57 million user accounts worldwide have been compromised, including as many as 10 per cent of Australian users.
Yet the real cause of agitation globally is not so much the hack itself – widespread attacks against high-profile targets have become almost commonplace: LinkedIn, Yahoo and Equifax to name just a few.
Instead, it is the allegation that Uber deliberately tried to cover up the security breach by not reporting it to authorities and paying hackers around $132,000 in ransom in a bid to return the stolen data.
“The company has adopted a cavalier attitude to pesky rules and regulations around the world”, cried an opinion piece in The Australian Financial Review.
The result has been swift condemnation, which could have a lasting impact on Uber’s brand and its ability to grow – and even retain – customers.
“As a regular Uber customer myself, this news makes me incredibly angry. Uber has treated its customers with a complete lack of respect,” said Raj Samani, chief scientist and fellow at cyber security firm McAfee.
“Millions of people will now be worrying over what has happened to their personal data over the past 12 months, and Uber is directly responsible for this. In opting to not only cover up the breach, but actually pay the hackers, Uber has directly contributed to the growth of cyber crime and the company needs to be held accountable for this.”
Vice president of McAfee Labs, Vincent Weafer, suggested this particular data breach is quite different from those that have come before.
“The challenge of course is that companies need to disclose breaches very early on in the process. There are requirements as well as fiduciary responsibilities to disclose that people’s data has been exposed to risks. In this case, it was over a year before that disclosure came out,” he said.
“In this case, it’s [unclear] if the data is still in the wild and exploitable or [if] Uber [has been] effective in mitigating the risk by paying the hackers.”
He urged other businesses of all size to take heed of Uber’s faux pas and take the threat posed by cyber attacks seriously, as well as ramifications of various responses to a breach.
“This is a good example of why organisations need to be very careful of how credentials are used and managed,” said Mr Weafer.
“We know attackers have been trying to track down administrator credentials – the keys to the kingdom – that allow them to move around within an organisation with ease. Keeping those credentials separate and different for various repositories, as well as managing them in a secure manner should be treated as a core principal of security info management.”
- Reader question: Can someone block the sale of my business?
By Adam Zuchetti
- Slashing customer response times no pipe dream
By Adam Zuchetti
- Legal view on dealing with errant employees
By Geoff Baldwin