Uber, the world's most famous disruptor of the taxi industry has never been short of controversy. Whether it be accusations of poor employment practices, sexual harassment at HQ or their never ending legal duels with various city councils, the workload for Uber’s public relations department is certainly colourful to say the least.
To add to their accolades of notoriety, Uber has recently come clean about a breach it suffered in 2016, when personal data of 600,000 drivers and 57 million customers was accessed and stolen by an external party. With less than six months until the enforcement of the European GDPR (General Data Protection Regulation), this admission is well timed to avoid becoming the daddy of all test cases, but instead leaves us with speculation about what could have happened and what we can learn from Ubers response to a breach.
The Uber data breach case dissected
In November 2017, Dara Khosrowshahi, CEO of Uber, announced that he had become aware of a breach dating back to 2016 which had been undisclosed to the public at the time of discovery. An unidentified external party deliberately gained unauthorised access to a third-party cloud service and downloaded vast quantities of personal data relating to drivers and customers. Once the breach was detected by Uber, they made contact with the alleged perpetrators and paid a financial ransom in exchange for the destruction of the personal information.
This remained a company secret until now.
What not to do post-breach
So where do we begin? The overriding head-shake invoker is the attempt to hide the breach by throwing money at it. Rather than notify the data subjects affected, Uber paid a ransom in exchange for a loose agreement to destroy the personal data, something which cannot be enforced nor proven. Had this come to light later in 2018, Uber would be in breach of notification requirements which specify that data controllers have a responsibility to notify data subjects when their personal data has been subject to a breach which may risk their rights and freedoms. To the credit of Uber, the drivers affected are based in the US only and subsequently are not subject to the rights afforded under the GDPR and since going public, they have offered all drivers free identity theft monitoring services. Better late than never.
Also in question are the security controls being used on the cloud service and whether or not it's deemed appropriate to use the said service to store such sensitive data. Uber makes a point of their internal systems not being breached as though to shift the blame onto the cloud provider, however under the GDPR, data controllers are expected to assess their data processors for suitability. In this case it is arguable that the cloud service had lesser security controls than Uber themselves, but this is something which should have been highlighted and considered in a risk assessment or DPIA (data privacy impact assessment).
Finally, whether you believe Dara’s obliviousness or not, there appears to be significant communication issues at Uber when it comes to incident and breach response. While the GDPR does not define an incident response plan or an escalation channel, any good IT practitioner would agree that the CEO of an organisation should be briefed and a pre-defined incident response plan should follow when a breach of this magnitude takes place. In this case, it would seem that Uber’s reaction was more ad-hoc than rehearsed.
GDPR lessons to learn in a nutshell
Post May 2018, organisations such as Uber are unlikely to get the easy ride (pun intended) they have come to expect in the past. Consider the following to avoid the mistakes of Uber:
- Assess your data processors for their suitability to process personal data. Document and justify your outcome.
- Have an incident response plan and notify key stakeholders when significant breaches take place.
- Where a breach risks the rights and freedoms of data subjects, inform the supervisory authority in the locations by which the data subjects reside.
- Prepare for the requirement to compensate affected data subjects, whether that be through action or monetary compensation.
- Never pay ransoms.
The administrative penalties under the GDPR are well known and widely discussed. Although not all cases of breach will result in a monetary penalty, the hiding of a breach for a year, the quantity of personal data and the types of personal data are all factors in a decision by the supervisory authority. Uber in this case were not just victims of misfortune but also misguided by bad choices and their own poor preparation. It serves as a good lesson in what not to do and what to avoid for the rest of us.