Breach Notification , Governance & Risk Management , Incident & Breach Response
Did Uber Break Breach Notification Minimum-Speed Limits?New CEO Reportedly Learned About Breach Two Months Before Company Came Clean
Uber's delayed breach notification has trigged fresh questions about how quickly companies should come clean after they suffer a cybersecurity incident.
Dara Khosrowshahi became CEO of San Francisco-based Uber on Sept. 5. About two weeks later, he first learned of the 2016 breach, unnamed sources tell the Wall Street Journal (see Uber Concealed Breach of 57 Million Accounts for a Year).
When Uber first publicly disclosed the breach on Tuesday, Khosrowshahi said in a statement that he'd launched an investigation immediately after learning about the breach so that he could accurately notify investors and breach victims about what had happened. The company also wanted to cut ties with two security executives - its CSO and deputy CSO - who had allegedly mishandled the breach and response, the Wall Street Journal reports (see Fast and Furious Data Breach Scandal Overtakes Uber).
Uber says its breach resulted in data for 57 million of its riders' and drivers' accounts being exposed. The ride-hailing firm reportedly paid two hackers $100,000 to hush up the breach, which it says ran from September to October of last year. Uber says it's seen no signs of identity or fraud arising from the attacks, based on an investigation conducted by an outside digital forensics firm.
Uber's breach-notification speed - both its year-long concealment of the breach, as well as how Khosrowshahi responded - will no doubt be weighed by a multitude of probes. At least three EU data protection agencies are looking into the breach, including Britain's Information Commissioner's Office, as is the New York State Attorney General's office and the U.S. Federal Trade Commission (see Driving Privacy Regulators Crazy: UK Probes Uber Breach).
"We've been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," Uber says in a statement.
EU privacy watchdogs say they will launch a joint investigation into the breach next week. "We cannot but voice our strong concern for the breach suffered by Uber, which was reported belatedly by the U.S. company," Antonello Soro, president of the Italian Data Protection Authority said Wednesday.
"It is clearly surprising that a digital multinational like Uber has patently insufficient and inadequate security measures in place to protect data; indeed, we are dismayed by the poor transparency shown towards users, which we intend to investigate," Soro said.
Patchwork of U.S. Notification Laws
In the United States, there's no federal data breach notification requirement covering all industries. The Health Insurance Portability and Accountability Act requires covered entities to notify federal authorities and affected individuals within 60 days of discovering a breach that affects 500 or more individuals. The financial sector must comply with the Gramm-Leach-Bliley Act, which requires firms to notify customers of a security incident "as soon as possible."
Businesses must comply with a patchwork of laws in 48 states, each applying to only its residents. None set a specific time limit for how quickly victims must be notified after a breach gets discovered. But some legislation, such as the breach notification law in California, specifies that "the disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement."
Already, some legal experts are suggesting Khosrowshahi waited too long to issue a public notification after he first learned of the breach.
"The provisions that allow for delay are not about getting your new management in order," Deirdre Mulligan, a professor at the University of California, Berkeley, who advised California lawmakers on their breach-notification law, tells the Wall Street Journal.
Failing to comply with breach notification laws leaves companies vulnerable to fines and forced settlements that require the business to commission external audits that prove its cybersecurity acumen for years to come.
Optimal Timing: Open to Interpretation
Information security experts say there can be good reasons to not rush notifications. Notwithstanding any laws to the contrary, cybersecurity attorney Mark Rasch says optimal breach notification timing should be "not too soon, not too late." He says well-timed notifications will give consumers the information they need to protect themselves, for example, by freezing their credit reports, without creating unnecessary panic (see Data Breach Notifications: What's Optimal Timing?).
Under Europe's new General Data Protection Regulation, however, any organization worldwide that suffers a breach that exposes Europeans' personal information must notify their "relevant supervisory authority" within 72 hours of discovering the breach. GDPR enforcement begins in May 2018.
Informing authorities, however, is different from notifying victims. While GDPR implementation remains a work in progress, many privacy experts believe EU government privacy watchdogs will take a "not too soon, not too late" approach that seeks to balance breach notification speed with accuracy.
Britain: Waiting For Accurate Victim Count
The challenge of how to inform victims and when was highlighted this week by a British government minister who says officials are still waiting to get an accurate count from Uber of the number of U.K. citizens who were impacted by the breach.
"We are working with the Information Commissioner's Office and the National Cyber Security Centre, and they are talking to the U.S. Federal Trade Commission and others to get to the bottom of things," Matt Hancock, Britain's digital minister, told the House of Commons on Wednesday. "Our advice to Uber drivers and customers is to be vigilant and to monitor accounts, especially for phishing activity." (See Drive-By Phishing Scams Race Toward Uber Users)
Hancock was speaking during this week's Prime Minister's Questions, during which the British prime minister and her cabinet visit the House of Commons to field oral questions from lawmakers for a half hour.
Hancock said the U.K. government first learned about the breach like everyone else - via Tuesday media reports.
Uber's Breach Notification Speed Slammed
Some British lawmakers expressed dissatisfaction with Uber's handling of the breach. "When Transport for London announced on 22 September that it would not renew Uber's license in London, Uber emailed its customers the very same day to ask them to protest against the decision," Kevin Brennan, a Welsh Labour MP, said in response to Hancock's statements. "Does the minister agree that if it could email all its customers then, it should do so now, and begin that communication with an apology?"
Hancock responded that Uber does not yet appear to know the number of U.K. breach victims. "We do not have sufficient confidence in the number that Uber has told us to go public on it," he said, saying that the government hoped to have better information in the coming days.
The minister also cautioned that breach victim tallies tend to rise. "In the Equifax breach ... the initial figure suggested went up," he said.
The British government is now moving to pass a new Data Protection Bill that will bring the country's privacy laws in line with GDPR, including the ability to levy fines of up to £18 million ($24 million). "The new bill will require organizations to report breaches likely to impact on data subjects to the Information Commissioner within 72 hours of becoming aware of one," Hancock said during PMQs. "In serious cases, they will also have to notify those affected by the breach. The commissioner will have increased powers to respond in the way that she considers appropriate, including with fines of up £18 million or 4 percent of global turnover."
Uber's Legal Woes Pile Up
The delayed breach notification adds to the legal woes facing Uber, which is known for aggressively combating local taxi regulations. The firm faces a number of probes and lawsuits over alleged sexism, harassment, working conditions and the theft of self-driving car trade secrets from Google parent Alphabet, which Uber denies. A string of senior executives have been departing the business, and the board dismissed former CEO Travis Kalanick in June.
Uber also lost its license to operate in London earlier this year. The mayor of London said any attempts by Uber to appeal that decision might take years to resolve.