The nearly daily reports of massive hacking incidents continue to demonstrate a shocking level of corporate incompetence. In September, we learned of the Equifax breach, which was breathtaking both in its scope and in Equifax’s disorganized response. In October we heard about the “Paradise Papers” breach of a Bermuda law firm, revealing details of how the super-rich avoid paying taxes. In November, we first heard about a breach at Uber that had actually occurred more than a year earlier. Uber’s amazingly derelict response managed to make Equifax’s poor response from September look well managed.
The details of Uber’s breach were not themselves shocking. In October 2016, Uber learned that its servers had been breached by hackers. The attackers first obtained credentials for a private GitHub site (a site used by programmers to collaborate on open source programming projects), and found in that code login credentials for an Uber server containing the stolen data. Though the breach impacted around 57 million people, the hackers did not obtain financial information. For the vast majority of the affected individuals, the stolen data included their names, email addresses, and phone numbers. For 600,000 individuals, the stolen data also included their drivers’ license numbers, which triggered an obligation for Uber to notify these impacted individuals of the breach. If Uber had notified these individuals in 2016, this breach would likely have been quickly forgotten in the wake of larger breaches involving far more financially sensitive information. Similarly, Uber’s legal exposure in 2016 would not have been significant, since it would have been difficult for any individual to prove injury as a result of the loss of the specific type of data stolen in this breach. However, Uber did not abide by its legal obligations in 2016. Instead, the ride-sharing company decided to hide the breach by paying the hacker a $100,000 ransom in return for a promise that the hacker would erase the stolen data.