The shocking news about Uber’s data breach woes just keeps on coming. After reading Stephen Little’s Independent article ‘Uber data leak hit 2.7m UK customers’ I felt compelled to break my silence on this issue.
I don’t like to heap criticism on an already embattled company, but the latest revelations about Uber’s unethical behaviour has made them fair game for critique, I think. Uber’s handling of their ongoing cybercrime crisis has landed them in a situation where they are now dealing with a legal battle and a public relations meltdown as well.
The key problem here is lack of transparency. I talk a lot about the importance of sharing information around cybersecurity issues because if we’re going to survive the war on cybercrime, we’ve got to start realising that secrecy serves the objectives of the criminals, and always ends up being damaging to a business in the end.
We Need Accountability
It’s not just me calling for open communication on cybercrime. Last week I interviewed eminent leadership scholar, Prof. Gary Martin, about how CxOs can better handle data security issues, and I think it’s fair to say he emphatically agreed with my position. Business leaders need to be more vigilant, but we also need to be more transparent about the threats we face. In our conversation, Gary Martin really summed up the problem perfectly when he said this:
“An organisation’s culture plays a huge role in setting the standards for behaviours that help to prevent cybersecurity issues – and culture is very much the responsibility of the CEO and the C-suite... Until there is a lot more discussion and sharing, cybersecurity challenges will not only prevail; they will escalate. We need much more open dialogue about cybersecurity…”
(Read the rest of my interview with Prof. Gary Martin, here.)
Transparency is Good Business
Uber was attacked and compromised by cybercriminals; that’s a big problem, but Uber’s leadership exacerbated the problem by trying to hide it from their customers and the public.
By attempting to keep their data breach secret, Uber simultaneously empowered the criminals, betrayed the trust of their customers and irrevocably damaged their reputation with the public at large.
Let’s count the cost for a minute. According to the Independent article, Uber paid a ransom of US$100,000 to the hackers who stole their customer’s data. That ransom was paid, in part, to keep the hackers quiet about the breach. It was hush-money.
Uber is suffering staggering losses (US$1.5 billion in their most recent quarter apparently) - so a measly hundred grand ransom was hardly going to matter, financially. What Uber’s executives failed to understand was what would happen when the scandal finally came to light.
Ongoing Financial Damage
There’s no way to realistically calculate the financial harm to Uber that will result from breaking trust with their customers like they did. Suffice to say that the old maxim ‘all publicity is good publicity’ probably doesn’t apply when the headlines are about your company allowing millions of customer credit card details to fall into criminal hands.
There will, eventually, be a specific number that can be attached to Uber’s legal costs fighting this case in the US courts, but that bill will probably keep adding up for years to come. Even when the litigation is over, Uber will be bearing the stigma of bad publicity that comes from a scandal like this for years.
Finally, consider this, the most persuasive argument against paying ransoms to cybercriminals; if you pay them once, they will come after you again.
Uber thought they were buying themselves out of a bad situation, but actually, their ransom payment has secured their position on the international cybercriminal hit-list. Now it’s public knowledge that Uber pays ransoms, every gangster syndicate, and two-bit hacker on the internet will be looking to take a piece of them.
In a world where criminals can hold a company to ransom just by infiltrating their email inboxes, paying a ransom is the final mistake in a pattern of mismanagement.
Uber failed to adequately secure their systems. They failed to stand firm against extortionists. They failed to inform their customers about the compromise of their credit card data. And finally, Uber failed to realise that by paying their attackers a hundred thousand dollars to keep quiet, they were actually setting the fuse on a scandal that has the potential to cost them billions in collateral damage.
Leadership Means Honesty
Uber are fortunate that this data breach occurred before the introduction of the EU’s GDPR regulations. After February 2018, companies that allow EU customer records to be stolen will face fines that are based on the number of records compromised - and those fines will be pretty massive when we’re talking about Uber-scale breaches that run into the millions of files.
The EU GDPR is on its way. Australia is bringing in the NDB Scheme that mandates full disclosure of data-breaches. Governments around the world will soon be enforcing greater corporate accountability on data security so the time to take ownership of cybersecurity is now.
If Uber’s situation teaches us anything, it should be to address cybersecurity challenges before they become scandals.
Informing customers about breaches isn’t just the ethical thing to do, it’s good business as well. Reputational damage and litigation resulting from cover-ups will always be much more costly than any ransom paid to criminals.
Let’s Talk
I’m on a mission to create dialogue around cybersecurity leadership. Whether you’re a small business owner or corporate CxO I would love to hear your perspective on these issues. Please get in touch with me on LinkedIn or Twitter and share your POV.
Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:
