Uber has finally disclosed that it experienced a cyber breach in 2016 in which the personal details of both drivers and customers were hacked by cyber criminals. The company reportedly had kept the breach secret for a year and paid a $100,000 ransom to have the data destroyed.
Here we go again. Another data breach. Another executive — Joseph Sullivan, Uber’s well-known chief security officer — reportedly gets the axe for mishandling a major incident. Sadly, it’s becoming a common trend.
The big news here is Uber’s concealment of the breach, which increased the cyber risk of drivers and customers as well as the loss of trust from investors and governments.
The mishandling of credentials for an Amazon Web Services account was seemingly behind the data breach, which demonstrates that companies really need to adhere to industry recommendations on securing and protecting privileged credentials. Not protecting these credentials can lead to major cyber incidents.
Privileged accounts can be the difference between a simple perimeter breach and a cyber catastrophe. Privileged access management has been a major problem that needs to be addressed immediately, and this incident is just another example of a company not managing access and securing the keys to the kingdom.
Further, privileged credentials security is a must for many industry regulations. Not protecting them exposes companies to compliance failure as well as data breaches like Uber’s. The Uber breach also demonstrates the importance of incident handling as part of an organization’s cybersecurity policy: doing it right can change the outcome of many cyber incidents. You cannot wait until it is too late to get your incident response plan in place.
Since this data breach has occurred, we have seen a change in chief executive officers at Uber, and disclosure of the data breach affords the current CEO, Dara Khosrowshahi, an opportunity to set things straight. He has a chance to change the negative perceptions that have arisen about Uber as a result of its many scandals.
But why should your company follow Uber’s poor example of disclosure, and do it as soon as possible?
Dirty Laundry
Until recently, many CFOs may not have been considered vital parts of their organizations’ security teams. As incidents become more common and their impact more widespread, CFOs are regularly being called upon to help promote cybersecurity by assessing the risks and their implications, financial and otherwise.
This trend will certainly intensify in the wake of the Uber breach. CFOs, of course, have a major role to play in the daily running of a business. Their work with financial analysts and investor relations professionals has always spawned questions about loss of control over data.
They are also concerned about the loss of funds through theft, waste, or a third party’s bad luck. It doesn’t take much imagination to see they have good reason to be worried. The data under control of the CFO, including revenues, profits, investments, acquisitions, and forecasts, is some of the most sensitive and important information found within any global business.
With the upcoming European Union General Data Protection Regulation (GDPR), which goes into effect in May 2018, businesses of all sizes, around the world, face huge financial penalties for failure to disclose data breaches. They will have to follow a strict 72-hour breach-notification rule, which requires disclosure to authorities in the countries impacted.
The GDPR replaces the European General Data Protection Directive of 1995 and provides the foundation for taking responsibility and being accountable when it comes to dealing with European citizens’ private data. This means that a corporation is accountable and responsible for all the information it collects.
If a data breach occurs and it’s found that adequate security measures were not in place, there are significant penalties and fines: 20 million euros, or 4% of annual sales. According to my rough calculation, if we use Uber’s gross bookings from 2016 of $20 billion, then Uber, after the May 2018 GDPR rule goes into effect, could face possible financial penalties of $800 million. Those penalties, of course, would be much higher than the penalties Uber faces by disclosing the data breach this week.
So are you hiding a major data breach like Uber? If so, you might want to pull an Uber and disclose it ASAP.
Maybe you haven’t found the data breach yet. Then you had better get looking immediately, before it is too late and you put your entire business (and with it, your own reputation) at risk.
I suspect many companies that provide services to EU citizens will need to really think hard about keeping major data breaches a secret. We may see more companies, like Uber, face the reality that now is a good time to hang out the dirty laundry and survive the tougher cyber regulations on the horizon.
Cybersecurity should never be an afterthought, and companies need to take a proactive approach to cybersecurity now. Protecting privileged accounts, especially those that have access to customers’ and employees’ personal details, should be a major priority to secure.
Joseph Carson is chief security scientist at Thycotic, a data security firm.