In November 2016, over 57 million customers and drivers on the Uber app had their details accessed by hackers. Whilst the incident occurred over two years ago, the company remains in hot water as a result of the unimpressive way in which they handled the breach. Instead of revealing the attack, Uber US paid the hackers a ‘bug bounty’ of $100,000 to not reveal the incident and delete the 16 files that included full names, email addresses, phone numbers and the location data where users signed up.
‘Bug bounties’ are often used by organisations to improve their security by paying people who find vulnerabilities and exploits in their software a bounty in exchange for informing them of the issue without letting it be known to the public. The difference between this and the way that Uber has handled this case is that the data breach had already occurred, so the payment was simply a cover-up and they didn’t report the incident to the public.
Uber US paid the hackers a ‘bug bounty’ of $100,000 to not reveal the incident and delete the 16 files that included full names, email addresses, phone numbers and the location data where users signed up
While Uber’s operation in Europe was only fined £385,000, Uber US was fined $148 million for the breach and subsequent cover-up. In a statement made by Xavier Becerra, Californian Attorney General, he noted that the decision to not disclose the incident was “a blatant violation of the public’s trust” and that “Uber swept the breach under the rug in deliberate disregard of the law”. This sweeps in alongside one of the largest corporate data breaches of all time from Marriott, a multinational hotel chain with over 6500 locations worldwide, where about 500 million guests had their personal details exposed, including some people’s credit card details.
So, how did the information get into the hands of attackers? The information was accessed on a third-party cloud-based computing service, where login credentials for the cloud were found on a GitHub site that was being used by software engineers at Uber, i.e. the only thing standing in the way of would-be hackers and a breach into customers’ data was a few login details. Whilst things such as multi-factor authentication are now standard on regular accounts such as YouTube and Apple, large companies like Uber don’t take the necessary precautions to ensure that the people who put their trust and private information in their hands are protected well enough, or even informed when something happens. Should people really be putting their trust in companies that time and time again fail to provide a basic level of care towards people’s sensitive data?
While Uber’s operation in Europe was only fined £385,000, Uber US was fined $148 million for the breach and subsequent cover-up
On the other hand, in the wake of what seems like a constant stream of new data breaches and leaks of personal information, the question must be asked, does it really matter anymore? With seemingly every new incident causing tens or even hundreds of millions of people to have their information released (and in the case of Yahoo! in 2016, all 3 billion accounts impacted), is there even that much of a risk to individuals? So many accounts, whilst vulnerable, can’t practically be taken advantage of due to the sheer amount of information that hackers would have to get through. Although this may do little to assure people affected by the breaches, it’s something that should be taken into consideration.
All in all, living in such a convenient world where we can arrange for a car to pick us up within minutes using an app to cover everything from booking to paying, comes with the caveats of your data being more vulnerable than ever before. These luxuries, beyond what we would have thought reasonable even within the last couple of decades, force us to question where we should draw the line.