A 1 Year Disclosure Gap From Hack
In late 2016, an Uber data breach compromised the data of 600,000 drivers in the United States and some personal information(read: not credit cards) of 57 million Uber users around the world. For scale, in late 2016, then CEO Kalanick said Uber had 40 million active users.
It wasn’t until November 2017 that Uber released an official statement on the subject. To address stakeholder concerns, they offered free credit monitoring to their drivers, though not to riders as they “do not believe any individual rider needs to take any action“
Adding to this nightmare, between the data breach and the disclosure, Uber has closed 2 funding rounds, in April and September 2017. Given these rounds, one can only hope for the sake of Uber’s credibility that investors knew about the breach.
This wasn’t their first major data breach. In 2014 they failed to disclose a breach in a timely manner, though one smaller in scale.
Regulatory Requirements in Disclosure
There will be plenty more information to come out of this as regulatory bodies begin to wade through the details of the breach and the delay in coming clean. In looking to the future, if this were 2018, Uber would likely face a GDPR violation with fines exceeding €20 million, since they took more than the designated 72 hours (they took almost a year!) to disclose the breach.
Uber could handle the €20 million fee. It’s a big number, but small when compared to the $11 billion or so they’ve raised. The PR hit they suffer might be larger. When Uber attempted to curry favor by promising airport rides in New York while local cabbies striked to protest the 2017 Trump Travel Ban, 200,000 users #delete(d)Uber – nearly .5% of their users (assuming they were active).
The average active Uber user is spending $50/month. That works out to $10 million/month in lost revenues – that is a very significant number, especially given with the tiny margins Uber operates on. We also have no idea on how this might impact the number of drivers and the resulting availability of service, while the #deleteUber movement was certainly one of the biggest gifts Lyft and other competitors ever saw.
Meanwhile in The US
While GDPR has a 72 hour window of disclosure, in the US it is currently (way) more complicated. Each state has developed their own policies, not only making it more difficult for legal proceedings against companies, but also for companies to navigate.
There was an effort by the Obama administration to impose 30 days as a “maximum reasonable delay” in disclosing data breaches but, as you might suspect, you’ll need to use the Wayback Machine to access it on the White House website.
It’s quite imperative this gets done. It needs to be done to facilitate SMBs’ navigation of legal requirements. It needs to provide a unified standard in disclosing data breaches and protect users whose information has been compromised. It should stipulate the requirement outlining how companies must take action to ensure corrective action.
I won’t even get into the SEC and insider trading implications.
Should you be confident with your data being held by Uber? Your guess is probably as good as ours. A 1 year gap in disclosure is very worrisome and a lot of damage can occur in that timeframe. A very important step to reassuring consumers, would be to create a national policy.
As an aside, in Canada, PIPEDA (Personal Information Protection and Electronic Documents Act) requires reporting of breaches with appropriate action taken to notify customers and remedy the situation – but no time period appears to be stipulated.
Could Your Business Survive A Data Breach?
While Uber will continue to fight another day, how quickly would your users abandon you? Could you afford a loss of this scale in a competitive market?
It’s increasingly becoming evident that taking any chance with compliance, data security and security related PR nightmares, should have zero tolerance in your organization. The small cost to your business in securing your cyber, data and email security deserves to be a fundamental consideration to your IT strategy or you face very serious, possibly terminal, risk.