Uber has been fined $148 million over its response to the hacking of its systems after reaching a settlement with US state law enforcement authorities (for the 50 states and the District of Columbia). 

In parallel, the Information Commissioner’s Office (ICO) fined Uber £385,000 in relation to the same hack. The ICO was critical of the security failures and particularly Uber’s failure to take steps to inform the affected data subjects whose data had been compromised.

The hack 

Uber in the US suffered a significant hack of its systems in 2016, exposing the personal data of drivers and millions of customers. Uber’s systems were susceptible to credential stuffing, whereby previously compromised username and password pairs are injected into a website until they match up with an existing account. This granted the attackers access to Uber’s cloud based storage system, which stored personal data for the USA as well as other jurisdictions including the UK. The attackers gained access to personal data relating to 600,000 drivers in the US alone as well as 57 million customers.

The UK part of the breach related to 2.7 million customers and 82,000 drivers. The attackers gained access to email addresses names and phone numbers as well as journey details and records of payments made relating to individual drivers. Uber did not think that the attackers accessed financial details such as credit card numbers.

The coverup

Rather than notifying authorities, Uber in the US paid the hackers $100,000 to delete the data and keep the hack quiet. Uber only acknowledged the breach in November 2017. The payment of money in response to extortion/ransomware raises further challenging legal and ethical issues. 

The ICO found out about the breach after the public acknowledgment and called for Uber to notify affected data subjects urgently.

Bug bounties

Uber in the US reportedly concealed the $100,000 payment by miscategorising it as a “bug bounty” payment. A bug bounty is a payment made by a company to a white hat hacker after they have identified a security vulnerability affecting that company. White hat hackers are good actors, who use their hacking skills to break into vulnerabilities in a company’s systems and then flag these to the company before malicious hackers (known as black hat hackers) can detect and exploit them – like they did in this case.

Bug bounties are arranged on pre-agreed terms, in return the white hat hacker would agree not to exploit the vulnerability as part of the terms. 

Consequences of the data breach

Following revelations of the data breach about a year later, Uber replaced executives involved in the cover up; and hired experts including Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust & Security Officer. It’s normal for businesses notifying data breaches to conduct a thorough investigation; identify procedures and systems that require improvement, provide a detailed report back to regulators; and expand training for their employees. Such measures can encourage leniency on the part of regulators and help to repair damaged reputations. 

New York Attorney General Barbara Underwood commented: “This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation…”

The severity of the US fine mainly reflects the failure to notify law enforcement, rather than the initial security vulnerability that was exploited by the hackers or the sheer volume of data that was exposed.

Consequences in the UK

The UK fine of £385,000 was comparatively low because it was issued under the old regime pre-GDPR, where the maximum possible fine was only £500,000. It’s also worth noting that under the old regime, there was no obligation to report the data breach to the ICO, but the ICO was still critical of Uber’s conduct in concealing the data breach, as this increased the risk to the data subjects.

Steve Eckersley, the ICO Director of Investigations, commented: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” 

The ICO also noted that the data stolen by the hackers “may make other scams, such as bogus emails or calls appear more credible. People should continue to be vigilant and follow the advice from the National Cyber Security Centre (NCSC).

Comparing data protection in the US and the UK

The regulation of data protection in the US is largely done at the state level, rather than under a single federal law providing for a single regulator. This means that when a significant data breach occurs, it is likely to trigger multiple notification requirements in different states. The trigger, thresholds and requirements for notification will vary from state to state. Some states require businesses to notify the affected consumers, some require a notification of a state regulator and others require both.

By contrast, in the UK, since 25 May 2018, the General Data Protection Regulation (GDPR) has regulated data breach notification. Article 33 requires mandatory notification of a data breach to the ICO (unless it is unlikely to result in a risk to the rights of data subjects) without undue delay and within 72 hours. Similarly, article 34 provides for mandatory notification of affected data subjects without undue delay. Businesses operating in the UK should be able to expect reasonably consistent regulation, compared to the US. The ICO is proactive in issuing guidance for both businesses and consumers, alongside the National Cyber Security Centre.

What should your business be doing now?

Businesses of all sizes should have in place robust security policies to assess risk of data breach and processes and procedures for staff to follow to prevent and/or minimise a breach.  Businesses should also have in place an incident response plan, setting out how an incident response team will respond in terms of triage, containment, eradication, notification/reporting and recovery of any data breach. 

The plan should set out sources of external support e.g. cyber consultants, lawyers, PR and forensics that may be able to assist. There should be a framework for deciding whether it’s necessary to notify the ICO or affected data subjects following a cyber-attack that causes a personal data breach.

How can Steer & Co help you with incident response

We have experience in preparing and reviewing internal policies to help businesses risk assess and prevent data breaches and provide incident response.  We tailor support based on a client’s own capabilities and resources. We also support clients involved in data and cyber breaches and have recently advised a retailer in relation to the fallout from a white-hat hacker publishing details of a security vulnerability in an Application Programming Interface servicing its mobile apps which could have resulted in disclosure of personal data. This included advising on strategy, notification of the ICO, preparing a detailed report of the incident and drafting communications to affected customers and press releases. 

For more information or advice, please contact Nic Ruesink-Brown nic.ruesink-brown@steerandco.com