Uber Data Breach - 'Where to' now?
News has broken today (22 November 2017) of the major breach of personal data which occurred at Uber in October last year. Although news of data breaches is now an almost-weekly occurrence, there are a couple of things which make this one different, and those differences have resulted in a significant amount of negative attention on Uber, at a time when they would much prefer to avoid the spotlight.
The first difference: the breach was concealed for over a year. It isn’t possible to say how many un-reported data breaches occur, but I suspect that Uber are not the only company who have made the decision to take the risk of concealing a breach, in the hope that it isn’t discovered and they avoid reputational damage. The gamble is that, if they are discovered, the damage would be much greater.
The second difference: it isn’t Uber’s first undisclosed breach – they settled with US regulators earlier this year over a previous data breach which occurred in 2014.
The third difference: Uber paid the ransom. The common position amongst governments that they “do not negotiate with terrorists” does not apply to major international companies and, by paying the perpetrators, Uber could be accused of effectively endorsing and encouraging this criminal activity.
The combination of these factors mean that this data breach may well be massively damaging to Uber.
They can count themselves lucky that GDPR was not in force at the time this breach occurred – if it had been, the concealment on its own could have resulted in a fine of 2% of their annual turnover – a potential fine of $130m based on a reported revenue of $6.5bn (this is the lower level of fines under GDPR; it’s possible that the breach may have resulted in other infringements of the regulation which would attract the higher fine of 4% of turnover). Given the severity of the breach, it seems likely that the fine would be significant, and it won’t make a difference under GDPR that Uber is based in the USA.
The reaction of the UK Information Commissioner’s Office is an indication of how the EU view a company's failure to report a data breach; James Dipple-Johnstone, ICO Deputy Commissioner, stated in two separate press releases today that: "Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."
So expect to see more belated reports of hidden data breaches, as companies look to cleanse their off-the-books history before the new GDPR rules become enforceable!
Is your company ready for GDPR? If you have no base in the Europe, have you appointed a Data Protection Representative in the EU? Contact DPR Group at email@example.com for more information, or visit our website at www.dpr.eu.com.