Uber Data Breach: Accountability, Corporate Ethics In Question

data breach

Three of the top Uber managers resigned after the data breach revelations. They resigned from Uber’s security, business operations, and international teams. Uber also faces fresh questions from US Congress on why it initially concealed details of such a big data breach which impacted over 57 million drivers as well as riders in 2016. A series of letters has already been sent to the taxi aggregator from both the Democrats and Republicans. They want to know why Uber didn’t reveal the security breach to customers earlier. They have also asked for how the company dealt with law enforcement agencies and what it has done to help drivers who lost their sensitive data.

Rethinking accountability and corporate ethics 

Uber recently revealed that a data breach of 2016 had been suppressed. It said that hackers stole 57 million driver as well as rider data. The ride hailing company kept the data breach under wraps for over a year and paid $100,000 as ransom money to the hackers. The deal with the hackers was fixed by Uber’s chief security officer, with full knowledge of former CEO Travis Kalanick, say reports. Security officer Joe Sullivan has been fired and Kalanick had to step down earlier this year. However, he stays on the Uber board. Two hackers carried out the breach on sensitive data including telephone numbers, emails, and names. The hackers demanded $100,000 from Uber to delete their copy of the stolen data. Uber agreed to the demands and tracked the hackers, forcing them to sign nondisclosure agreements.

According to Bloomberg, the hackers used private GitHub coding site used by Uber software engineers and used their login credentials to access data stored on an Amazon Web Services (AWS) account which handled computing tasks for Uber and accessed the data archives. Mandiant, a cybersecurity firm owned by FireEye, has been hired to investigate the attack.

Raising regulatory measures for public cloud

After the firings, a number of questions naturally arise after what could be termed as one of the biggest data breaches in history. Who is responsible for the data breach: Chief Information Officer or the Chief Legal Officer or Chief Security Officer? Does the episode mean and prove that public cloud is inherently vulnerable for storing customer data? How justified is a company in concealing such sensitive matter for more than a year? What are the customers and the employees’ rights in such a situation?

No doubt, the seriousness of the charges could lead to significant consequences for the company that has already been regularly making news for all the wrong reasons. It could also mean greater regulation and scrutiny of the exponentially growing public cloud market. The future of cyber security could count on this huge let up for a massive shakeup, one not seen in recent years. Moreover, it is unimaginable that the massive data breach was hidden by the company for more than a year and has just been revealed. Uber will have to answer many such uncomfortable questions.