Dwight Watt - Newspaper Article #403 1/3/2018

Question: How was the recently revealed Uber data breach mishandled?


In November Uber announced there had been a data breach at Uber over a year earlier and that information on over 50 million users including 600,000 drivers had been stolen. They also announced they had paid the hacker who stole it a ransom to destroy the data and though everything was ok.

First you should not be waiting more than a few days to announce a breach where information is stolen of users. In some states, this delay is a violation of state law and they are probably facing large lawsuits from those states.

Second paying a ransom for the data is not a way to stop people ding these breaches and only encourages them. They paid it through a legitimate program that reward people for reporting security weaknesses they find. However, it is not intended to pay people who used those weaknesses to rob you. If someone called and told you that they noticed your front door was unlocked late at night you may reward them for telling you, however if they had gone in and taken stuff you would not reward them unless you view jail time as a reward.

The breach needed reporting to users whose information was stolen much sooner so they could watch accounts and do freezes and other protections. Not knowing it was stolen left them vulnerable.

When they paid the hacker, they said it was for him having destroyed the data. However, they have no way of knowing did he make other copies or did he give or sell to friends. Paying a ransom does not usually accomplish what you want as the outcome.

Basically, Uber has made themselves a textbook example of what not to do is a data breach occurs in your organization. In addition, they have not made people comfortable to ride with them or drive for them bot knowing where else is their security weak.