Uber Data Breach and Why We Need New Digital Security Regulation

Uber Technologies Inc., joins Yahoo, Target, Equifax, and other companies as a target for hackers. Hackers allegedly stole personal data of 57 million Uber users and drivers. The hackers stole names, email addresses, and phone numbers from Uber riders and drivers from around the world. 600,000 U.S. driver license numbers were also stolen. Uber claims that no social security, credit card information, or trip details were taken. The shocking part is that Uber attempted to coverup the hack for a year instead of disclosing it to the public.

Uber’s former chief security officer, Joe Sullivan, and a deputy paid the hackers $100,000 to keep quiet about the hack. The company tracked down the hackers and asked them to sign nondisclosure agreements. Uber executives passed off the payment and nondisclosure agreements as a planned event where the hackers were paid in advance to test vulnerabilities in Uber’s system.

A Market for Corruption

Uber’s coverup is absolutely the wrong way of handling a hack into a business’s systems. The U.S. Securities and Exchange Commission requires that hacks be disclosed to investors to protect them from financial abuse (ironically, the SEC waited until September this year to disclose they had been hacked in 2016). Several states, including California, where Uber is headquartered, also mandate that companies disclose if their computers have been breached.

The New York attorney general’s office has opened an investigation into the matter. Two class-action lawsuits have been filed against Uber in federal courts in California.

Uber’s failure to disclose has potentially harmed investors, users, and drivers. The class action lawsuits claim that the company’s failure to disclose the hacks prevented users and drivers from contacting their financial institutions or from taking any action to prevent identity theft. Investors who spent money on Uber were also harmed, as Uber’s plans for an initial public offering in 2019 may either be delayed, or the company’s stock worth may be dramatically lower than originally forecasted.

Additionally, the coverup may lead to more hacks in the future. The F.B.I has warned against paying ransoms to hackers, since such payments will encourage hackers to invade other companies or even the same company again to secure more money.

21^st Century Cyber Security

It is pretty obvious now that America needs massive change in how it handles cyber security. Major companies in every sector are being targeted. The current Presidential administration is being investigated by a special because of allegations involving hacking. Even the government watchdog charged with overseeing whether companies are disclosing hacks, has been hacked!

Although we have laws requiring that companies publicly disclose any hacks into their systems, such laws do not seem to be enough. Companies and government agencies alike need to learn how to prevent cyber security breaches. I’m not going to pretend to be a cyber security expert, but there are dozens of pending laws before state lawmakers that address the issue. The shocking thing about that list how many laws didn’t make it. Not all of them need to be enacted, but laws that criminalize the installation of malware, require data encryption in certain industries,  or to create anti-hacking infrastructure should at least get a second glance in the wake of all these hackings.