Instead, Uber allegedly paid the perpetrators a hefty sum to delete the evidence of said data breach, according to Bloomberg. Things have come full circle though, with new CEO Dara Khosrowshahi seemingly inheriting another issue instigated by predecessor Travis Kalanick.
Addressing the matter, Khosrowshahi said in a Guardian statement that while there was no excuse for the incident, he had “obtained assurances that the downloaded data had been destroyed” – and was already ramping up security efforts.
But despite his assurances, Sam Curry, chief security officer for Cybereason, believes “difficult consequences will need to follow” if the company hopes to retain some if its reputation.
“Uber paid a bribe to make the data breach go away and acted as if it was above the law,” Curry opined. “Those responsible for the integrity and confidentiality of the data had covered it up. This is a wake up call to the industry that those in charge of security have a responsibility not just to the companies that they work for, but the people whose data is affected.
“There should never be a grey area as to what the right thing to do is – a topic that needs to be further discussed.”
That more should have been done to prevent the situation is a view point numerous experts are taking. Jason Hart, CTO of data protection at Gemalto, for example, exclaimed Uber could have benefitted from faster disclosure and better use of data encryption. He also portrays a note of concern.
So close to the implementation of GDPR, it’s worrying that such high-profile companies don’t seem geared for the reporting process. The Uber case should thus serve as an example of the importance of transparency and accountability for businesses.
“Organisations won’t be able to get away with keeping breaches hidden or paying off hackers under the table from May 2018 onwards,” Ross Brewer, VP and MD EMEA at LogRhythm, said. “Going forward, bosses will need to be open and honest when breaches inevitably happen, and do their best to remediate the situation as quickly as possible, while making sure they disclose the breach within the short 72 hour window.
“Because, while the scale of this breach is incredible, it’s not the data breach itself which is causing the headlines, it’s the aftermath and how it’s been handled.”