When embattled ride sharing company Uber finally disclosed last week that a 2016 data breach had compromised the names, email addresses and phone numbers of 57 million users and driver’s license numbers of 600,000 drivers, and that the company had attempted to hide the information from users and regulators, most consumers were shocked and horrified.
Corporate cybersecurity experts, however, were unsurprised. Apparently, data breach cover-ups happen all the time.
“I don’t know if it’s a well-kept secret or they don’t want to admit to, it but the painful reality is that there are so many financial drivers motivating companies not to report breaches that it’s difficult to motivate them to be ethical,” Gregg Garrett, head of international cybersecurity for BDO, told LTN.
Although there are data breach notification laws on the books in 48 U.S. states requiring companies to inform consumers about potential exposures of their personal information, companies don’t exactly have great incentives to disclose a potential data breach. Disclosing data breaches tends to invite scrutiny from investors, open the door to litigation, and may not play well for a company’s reputation.
Nor do company cybersecurity hierarchies incentivize individuals within companies to disclose. Chief information security officers (CISOs), generally those charged with identifying any potential malware or breaches, tend to report to chief information officers (CIOs), who are tasked with ensuring that the company cybersecurity architecture and policies are up to snuff. “Major breaches could jeopardize their payouts, their bonuses, their jobs themselves. When the CISOs report to CIOs, you have this dilemma where people are not always motivated to disclose things that could make you look bad,” Gregg explained.
Some of this depends on your definitions of both “cover up” and “data breach.” Ed McAndrew, co-practice leader of Ballard Spahr’s privacy and data security group, explained that while it may seem fairly cut and dry whether a breach has occurred, and whether that breach would trigger data breach notification laws, it can be subject to a fair amount of interpretation.
“Breach is generally a legally defined term. The way companies approach this is, ‘We have to notify if we have a breach. Do we actually have a breach?’ In a lot of instances, that’s not always immediately apparent. Sometimes it’s difficult to determine, and it’s not always a breach,” McAndrew noted, adding that malware or other penetration into a system doesn’t always result in data exposure.
Given this ambiguity, McAndrew sees many people fail to disclose potential data breaches. “Most people start unfortunately from a default posture that they’d really rather not disclose they have a data breach. In a fair number of instances, we’re not seeing disclosures as a result of that,” he said.
The question of cover-up around Uber’s recent disclosure comes from the company’s decision to make a $100,000 payment to hackers to delete data, and to have hackers sign non-disclosure agreements (NDA) to ensure their silence. The payment and NDAs, in Bradley Arant Boult Cummings partner and cybersecurity and privacy team leader Paige Boshell’s experience, may be a less common practice.
“It’s really hard to tell how many companies have paid hackers. I have not heard of that yet in this type of context where it’s a true external hacker,” she said, noting that some companies do opt to pay ransomware hackers demanding money in exchange for the return of data. While law enforcement officials advise that companies not pay ransomware, the popularity of ransomware attacks indicate that companies don’t always take that advice. “If it weren’t lucrative, it wouldn’t be skyrocketing in practice,” she noted.
The payment in itself raised fewer questions for McAndrew than the fact that Uber identified and opted to negotiate directly with their hackers without telling law enforcement or regulators that they had done so. “If you’re really victim, do what a victim does and go to the police. It’s pretty mind-blowing, and I can’t for the life of me think of why a person could reasonably rely on the kind of criminals that are stealing your data and extorting you,” he said.
Details are still emerging about Uber’s particular handling of this breach, but the non-disclosure agreement in particular raised red flags for Boshell. “It’s hard to say that that in itself is a crime, but it certainly makes them, from a reputational perspective, look less like a victim,” she said. “I have not personally heard of a company tracking down their own hackers and having them sign a non-disclosure. That puts them in a very unfavorable light,” she later added.
Uber is facing some dire political consequences for its handling of the breach. At least 5 U.S. Senators have requested information from Uber about their security standards and what data breach notification responsibilities they may have shirked. Seven attorneys general, in Connecticut, Illinois, Massachusetts, Missouri, New York, New Mexico and Washington, have opened investigations into the company and how the breach may have impacted its residents to date. Illinois’s Cook County, which includes Chicago, also filed suit against Uber for exposing residents to risk.
“The likelihood of a congressional hearing is much higher due to the subsequent actions than it is for the breach,” Boshell said, adding that penalties in each of these states and local inquiries are likely to be higher because of Uber’s handling of the breach.
Fines from these multiple actions could certainly add up, but they may still pale in comparison to the potential valuation loss Uber is facing as well. Uber’s deal to sell a significant stake of shares to Japanese telecom company SoftBank garnered just a $48 billion tender offer, nearly $22 billion below its $70 billion valuation in its last funding round.
Uber’s reputation has taken more than a few hits this year between neglect of sexual harassment reports from female staffers, a reportedly toxic workplace culture, use of a tool to help drivers avoid law enforcement, and most recently, allegations of evidence withholding in the company’s legal battle against Waymo. Many of these issues were attributed to leadership from former Uber CEO Travis Kalanick, who stepped down in June of this year, but it has yet to be seen whether the company’s new executive team can weather this latest data privacy revelation.
“The new management gets one bite at the apple. They get to claim that they’re new and that these problems are not theirs only once,” McAndrew said. Taking a strong stance around data privacy and committing to bolstering infrastructure may be one way for Uber to prove it plans to turn over a new leaf.
Some are hoping that Uber’s fallout from the data breach and subsequent cover-up will prove a cautionary tale to other organizations. “I think it is an ill-conceived strategy that companies need to move away from. Covering up this activity is not likely to succeed. As were seeing now, it causes more harm than the actual breach itself. It is a misguided strategy,” McAndrew said.
Although company cybersecurity staff may feel confident in their ability to cover up a breach with little consequence, McAndrew noted that there are many ways of identifying these breaches beyond basic due diligence reviews. Cyberattacks are often leveraged against multiple connected organizations, and though payments may be rendered in Bitcoin, transaction histories aren’t easily destroyed.
“This is all iterative. You’re creating a history of cybersecurity activity. Even if you effectively bury something today, it may come to light tomorrow,” McAndrew added.
While there are some things companies can do to ensure that they’re complying with data breach notification laws internally—creating a different reporting structure, for example—Garrett thinks regulators may need to play a bigger role in cracking down on corporate cybersecurity breaches. “Nobody wants to hear this, I don’t even like saying it, but you’ve got to have stronger regulations and consistent regulations,” Garrett said.
While certainly regulators have tightened policies around financial and infrastructure data security, regulations around organizations in other industries and certain kinds of personal and commercial data remain fairly fragmented. “There needs to be standardization across the U.S. marketplace. There needs to be significant penalties,” Garrett added.