Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementCybersecurity News

How Cyber Criminals Took Uber for a Ride

By Seth Berman
Seth Berman
December 18, 2017

The nearly daily reports of massive hacking incidents continue to demonstrate a shocking level of corporate incompetence. In September, we learned of the Equifax breach, which was breathtaking both in its scope and in Equifax’s disorganized response. In October we heard about the “Paradise Papers” breach of a Bermuda law firm, revealing details of how the super-rich avoid paying taxes. In November, we first heard about a breach at Uber that had actually occurred more than a year earlier. Uber’s amazingly derelict response managed to make Equifax’s poor response from September look well managed.

The details of Uber’s breach were not themselves shocking. In October 2016, Uber learned that its servers had been breached by hackers. The attackers first obtained credentials for a private GitHub site (a site used by programmers to collaborate on open source programming projects), and found in that code login credentials for an Uber server containing the stolen data. Though the breach impacted around 57 million people, the hackers did not obtain financial information. For the vast majority of the affected individuals, the stolen data included their names, email addresses, and phone numbers. For 600,000 individuals, the stolen data also included their drivers’ license numbers, which triggered an obligation for Uber to notify these impacted individuals of the breach. If Uber had notified these individuals in 2016, this breach would likely have been quickly forgotten in the wake of larger breaches involving far more financially sensitive information. Similarly, Uber’s legal exposure in 2016 would not have been significant, since it would have been difficult for any individual to prove injury as a result of the loss of the specific type of data stolen in this breach. However, Uber did not abide by its legal obligations in 2016. Instead, the ride-sharing company decided to hide the breach by paying the hacker a $100,000 ransom in return for a promise that the hacker would erase the stolen data.

Uber’s reaction is an almost perfect road map of how not to handle a breach. Uber’s decision to hide the breach violated several state laws, and may well have violated Uber’s own settlement with the FTC (itself the result of a prior data breach), which was only finalized a few months ago. This is likely to result in significant fines and civil settlements – far more than would have been necessary if the breach had been announced in 2016. As an example, the Attorney General of Washington has sued Uber for failing to notify those Washington citizens impacted by the breach, seeking the statutory fine of $2,000 for each day the notification was delayed, multiplied by the almost 11,000 individuals in Washington alone to whom notification ought to have been made. If granted by a court, this would amount to a daily fine of $22 million – multiplied by the 300+ days since the notification requirement came into play. Other states have also sued Uber over this same breach, and while it is likely that the total fines it will pay will not amount to the billions of dollars demanded by the Washington Attorney General, it is certain that the fines will be far higher than they would have been if Uber had abided by the law a year ago. One piece of good news for Uber is that the 2016 breach occurred before the effective date of the European General Data Protection Regulation (which was promulgated in 2016, but does not go into effect until May 2018). Assuming the breach impacted the personal data of Europeans as well as Americans, had GDPR been in effect Uber would also now be facing the possibility of fines in Europe of the greater of €20,000,000 or 4 percent of Uber’s global revenue – which for Uber could easily amount to hundreds of millions of dollars.

So what should Uber have done?  Upon learning that it had a potential breach, it ought to have hired outside counsel to lead an investigation. This would have preserved any potential attorney-client privilege, and ensured that Uber was well advised of the complicated notification laws and liability schemes in the US, Europe, and beyond that it was facing. The investigation would have examined the causes and effects of the breach and determined whether notification to regulators or consumers was required. It would also have put Uber be in a position to document what steps the company had taken to address its security flaws and reduce the risk to its consumers. The company would then have been able to notify consumers and regulators, and would have been prepared with a PR and customer relations strategy to address consumer concerns.

Ironically, the sheer volume of data breaches has meant that companies who make timely reports of breaches and have good strategies for addressing clients’ concerns have rarely faced long-term business or legal problems as a result of even the largest hackings. If there is one lesson for executives in the wake of Uber’s breach it is this: ignoring or hiding a reportable data breach is not a viable option.

KEYWORDS: cyber security cybercrime data theft

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber-person

    A Practical Strategy to Engage the Workforce Against Cyber Criminals

    See More
  • cyber_lock

    COVID-19 and the need for a national cyber director: How the response to the pandemic illustrates the importance of a leadership

    See More
  • Untitled.png

    Lessons learned from COVID-19: How cybercriminals took advantage of financial institutions

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing