Uber Breach: A Managed Travel Perspective
After revealing a breach of 57 million accounts that
occurred more than a year ago, Uber is monitoring the accounts of affected
riders, though it reports "no evidence of fraud or misuse" of rider
accounts to date.
In October 2016, two hackers accessed data stored on a
third-party cloud service used by Uber, including names and driver's licenses
of 600,000 drivers in the U.S., as well as data like names, email addresses and
mobile numbers of users around the world, CEO Dara Khosrowshahi said in a post
on the ride-hailing service's website. There is no indication that more sensitive
information like credit card numbers, social security numbers or ride histories
was accessed, he said. Uber has flagged affected accounts for additional fraud
protection and is offering free credit monitoring and identity theft protection
to drivers whose license numbers were accessed.
Uber is drawing fire for the delayed reporting of the
breach, which occurred under the watch of Khosrowshahi's predecessor, Uber co-founder
Travis Kalanick. Bloomberg reported that Uber paid $100,000 to the hackers to
delete the data and remain quiet about the incident.
Khosrowshahi, who was
hired as CEO in August, said he requested a thorough investigation of the
breach, which led Uber to notify regulatory authorities and dismiss two Uber employees
who led the response. Khosrowshahi also brought on board cybersecurity expert
Matt Olsen, former general counsel of the U.S. National Security Agency and
National Counterterrorism Center director, to restructure Uber's security teams
and processes. "None of this should have happened, and I will not make
excuses for it," Khosrowshahi said. "While I can't erase the past, I
can commit on behalf of every Uber employee that we will learn from our
mistakes."
In the meantime, Uber faces investigations into the breach
and its response, including from the office of New York State Attorney General
Eric Schneiderman and regulators in the U.K., where Uber already is appealing
a decision to end its operating license in London. Other U.S. states and
the U.S. Federal Trade Commission are likely to join in investigating,
according to Bloomberg.
A Managed Travel Perspective
Founder and principal consultant of The Information Collective
Samantha Simms voiced sharp criticism of Uber's secrecy surrounding the
massive
data breach the sharing economy company reported last week after knowing
of the breach for more than a year. Practices like these, she said, not
only flout current and pending
regulations, they will also hurt Uber's partnership prospects in the
managed
travel world.
"Without sufficient information from Uber, we cannot
assess the impact this event has had on business travelers," Simms said,
also noting that Uber's failure to report the hack in a timely fashion has
likely breached disclosure rules in some U.S. states. Multiple states, including
Connecticut, Illinois, Massachusetts, Missouri and New York, are currently
investigating the matter.
There is no such disclosure obligation currently in the EU,
but this will change under the Global Data Privacy Regulation, which
goes into effect
in May. At that point, delayed disclosures will have farther reaching
consequences,
including penalties up to 4 percent of a company's revenues. "[Stricture
disclosure requirements] will give travel managers a chance to do what
they can to mitigate any risks for the personal data of their
travelers," Simms said.
"Incidents happen, but it's how we handle them that
shows how we operate as a business," she added. "This will not bode
well for Uber's reputation when it is already under discussion by regulators on
other matters."
—Additional reporting by Amon Cohen
Article updated Nov. 27, 2017 at 12:42pm EDT