Director of Cyber Security, Americas
Uber’s Data Breach: A GDPR Test Case
On Tuesday the 21st of November, Uber disclosed publicly that it had concealed a data breach of both driver and customer data affecting 57 million people worldwide. Details of the breach are still emerging, but it is believed that attackers accessed the accounts of Uber engineers on GitHub, the software development platform, where they discovered credentials for an online storage platform. Logging in with these credentials unearthed a huge store of unencrypted personal data including the license details and names of drivers, and the names, email addresses and phone numbers of customers.
Although news of the breach is only now making headlines, the attack itself occurred back in October 2016, meaning that data was compromised for over a year before being reported. It has also emerged that Uber’s Chief Security Officer assisted in covering up the breach by paying the perpetrators $100k to delete the data and not make the breach public.The breach itself, whilst large, pales in comparison to some other high profile data breaches and at this time does not appear to have contained more sensitive information such as credit card details or location data. The more concerning aspect of this saga is Uber’s response to the breach and their basic security failings, such as not encrypting the personal data and seemingly using production data in a development environment.
Consequences for Uber
Authorities in the United States, United Kingdom, Australia, and the Philippines have already launched investigations into the data breach with concerns focused on the failure to make the breach public rather than the breach itself. The US Federal Trade Commission (FTC) have stated that Uber’s failure to notify the proper authorities in a timely manner may subject them to “substantial monetary damages, especially if it was intentional.” Currently, fines are most frequently calculated on a per-record basis and, for comparison, in June this year health insurer Anthem paid a record $115m to settle a 2015 data breach affecting 79 million people.
Even before fines are handed out, there has been an immediate financial impact for Uber. SoftBank have submitted their tender offer for the purchase of a significant portion of Uber’s stock. The latest reports from these negotiations is that the offer stands at $32.96 a share, which is more than 30% below the valuation of $48.77 a share at Uber’s last funding stage. Commentators have attributed this dip, in part, to the reputational hit the company has taken from this recent security breach and the company’s response to it.
Penalties Under the GDPR
Whilst it seems Uber may already have suffered financial losses as a result of this breach, the consequences could have been much more severe if it had happened after the 25th May 2018, when the EU’s General Data Protection Regulation (GDPR) comes into effect. The GDPR will apply to any company handling personal data belonging to EU citizens and under this regulation, companies which suffer data breaches can be penalised with fines of up to €20m or 4% of global turnover, whichever is higher. Fines are calculated based on a company’s compliance with GDPR requirements and its speed and transparency when dealing with a breach.
Taking into consideration Uber’s attempts to cover up the breach, the lack of encryption of the data and the fact that the proper authorities were not notified for such a long time, Uber could have faced a fine of up to £204m (based on reported revenue numbers from 2016). To put this into perspective, the UK handed out 35 fines for data breaches in 2016 totalling £3.2 million.
What should Uber have done under the GDPR?
Uber’s story, and all of their apparent failings, is the perfect example of what not to do during a breach. Under the GDPR, there is a requirement for the informative disclosure of a data breach within 72 hours of the organisation becoming aware that an incident has taken place. There is also an obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities which, at the very least, would include encrypting personal data. For a company that processes as much personal data as Uber, a Data Protection Officer (DPO) will also need to be appointed and be made available as the company responds to the breach.
What should be in a breach disclosure under GDPR?
• The type of data and number of records lost
• A point of contact for more information (typically Data Protection Officer)
• The actions being taken to mitigate the breach
• The potential consequences of the breach for affected individuals
Uber have already taken a reputational hit, but after May 2018, their failings could have resulted in much more serious consequences.
S-RM is a leading risk consulting firm that supports business, governments and private clients worldwide. They help clients identify and manage regulatory and operational risks, ranging from money laundering, fraud, reputational damage and corruption, to security, political change and cybercrime.