Uber slated for “amateur” data breach and cover-up

Uber made several cardinal errors in its handling of data security and the fall out from a cyber breach, media reported this week.

The theft from the company of 57 million customers’ and drivers’ personal data was not revealed publicly until this week but happened in October 2016, Bloomberg reported on Tuesday.

The company paid the hackers $100,000 to delete the information and keep quiet.

The company’s failure to disclose the breach was “amateur hour”, David Hoofnagle of the Berkeley Center for Law and Technology told the Guardian.

It made little sense to cover up the breach, as the only way the company would have direct liability under security breach notification statutes would be if it did not give notice, he said.

The fact the data were being stored unencrypted was an “unforgivable” error, cyber security firm Bullguard commented.

The New York state attorney general’s office has opened an investigation into the data breach, a spokeswoman confirmed.

Uber has said in a statement to drivers that it will offer those affected free credit monitoring and identity theft protection.

The hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.

The New York state attorney general’s office has opened an investigation into the data breach, a spokeswoman confirmed.

“Non-disclosure creates a practical risk in the hundreds of millions,” said Hoofnagle.

In June, health insurer Anthem settled litigation over a 2015 breach affecting 79 million people for a record $115m.

As from next May non disclosure of a data breach, and/or non-encryption of personal data, will render companies liable to fines of up to 4% of global annual turnover or 20 million euros under the EU’s General Data Protection Regulation, GDPR.