After a relatively quick rise, the entire Uber empire is at risk of falling apart. Uber has already been spending a lot of resources on public relations, legal challenges, as well as marketing exercises to sustain growth in the European Union (EU). Among all that activity, Uber just announced that they failed to disclose a cyber attack that happened around October 2016.
The company recently revealed that they’d been hit by a data breach last year and paid hackers to not release the stolen data. Normally, a breach such as this is already a major concern, but considering the upcoming implementation of the EU’s General Data Protection Regulation (GDPR), this unreported data breach will be the biggest speed bump for Uber as they try to gain trust in the EU.
How the attack happened
Uber’s engineers use a private coding site for development. Two hackers took advantage of a loophole in that site and stole login credentials to access personal data hosted on the company’s cloud platform.
According to Uber, the hackers stole over 600,000 drivers’ personal information (including their names and license numbers) and the names, email addresses, and phone numbers of 57 million riders. Uber says that it has taken preventive measures to stop further breaches and shut down the existing attack. But the one thing Uber didn’t do was report the breach to the public. Currently, they aren’t actually required to report the breach, but if this breach happened in Europe after the GDPR goes into effect (i.e., any time after May 25, 2018), then they’d face some serious consequences.
What if this breach happened after May 25, 2018?
This breach exposed EU citizens’ personal data, and under the GDPR, Uber would’ve faced heavy penalties. And not reporting the breach would have caused a compliance violation that would assuredly break consumer trust of Uber in the EU. All that’s on top of a hefty fine: 4 percent of their total revenue or €20 million, whichever is higher.
Lessons from this data breach
Let’s now examine how Uber could’ve handled this breach in way that complies with the GDPR’s upcoming rules.
- If there’s a breach, it should be: detected promptly, stopped as soon as possible, assessed to determine its impact, and reported within 72 hours of its occurrence. Skipping any one of these would lead to GDPR non-compliance.
- Wherever data is stored (physically, virtually, or on the cloud), companies need to take security measures to protect that data from unauthorized access and continually verify that it is secure.
- If a company is using custom applications or services, they need to be monitored as well. Enterprises should verify that the activities happening on these applications and services are audited and monitored to seal security loopholes.
Let’s take these lessons seriously and be prepared for May 25, 2018.
Want more information on the GDPR? Get a free GDPR resource kit on us.
Want to talk to our experts regarding GDPR adoption? We’re all ears!