Cyber-security researcher Abigail McAlpine is undertaking her doctorate under the umbrella of the University’s Secure Societies Institute. Here she comments on the international scrutiny the Uber transport app is facing after the news that a massive concealed data breach affected over 57 million Uber users.
“The Uber transport app is facing international scrutiny for the around the news of a massive concealed data breach that affected the over 57 million Uber users. Data stolen in the hack included names, email addresses, licence plate numbers and mobile phone numbers and included personal data of both drivers and passengers. Authorities in the UK. US, Australia and Philippines are investigating the actions and ethics of Uber since the release of the news this week.
On Tuesday the 21st of November, Uber CEO Dara Khosrowshahi released an announcement on their website that hackers had gained access and stolen a large amount of personal user data over a year ago in October 2016 and that the company had failed to be transparent with their users about the breach. This announcement follows the news of credit monitoring giant Equifax who also lost large amounts of consumer data and delayed the announcement of the hack for several weeks.
Unfortunately, this news reveals a trend in which the dismissive and weak security procedures have not only resulted in user’s personal data being stolen but it has also validated any concerns that large corporations do not recognise the significant fees and penalties to be enough to encourage them to tighten security regulations and procedures nor inform their users about the hacks.
Little incentive is provided to impose honest and swift action in notifying customers upon the discovery of substantial hacks. The deliberate concealment of breaches from both regulating bodies and users demonstrate that the fines and settlements do not encourage more efficient policies and procedures. Even more concerning was the conduct and actions of Uber after the discovery of the hack. Uber allegedly paid hackers $100,000 to keep the news of the hack under wraps and to destroy the data stolen.
European Union privacy regulators are likely to review the data breach cover up next week (28th/29th of November) and could potential impose a joint sanction and coordinated investigation into the way the hack was handled.
When the GDPR EU protection law comes into power in May 2018 regulators will be able to impose fines of up to 4% of the offending company’s global turnover.
Time will tell if this is enough to expect a higher standard of ethics and integrity to be demonstrated by global corporations in future.”