What can the Uber breach teach us about information security?

Facts in a nutshell: 

  • In 2016, Joseph Sullivan, Uber’s former chief security officer (CSO), covered up a breach exposing the data of more than 50 million Uber customers and drivers.
  • This case may be the first time a company executive has faced criminal charges over a cyber attack. The CSO was fired and federally charged with one count of obstruction of justice (Federal Trade Commission) and one count of misprision (deliberate concealment) of a felony.   
  • With the breach affecting drivers in the UK and Netherlands, Uber paid over $1.2 million in fines to data protection authorities. “The October 2016 data breach affected approximately 2.7 million user accounts in the UK” — Spokesperson (NCSC)1   

What happened, exactly? 

  • Hackers breached 57 million Uber users' and drivers' accounts and demanded $100,000 to delete their copy of the stolen data. This includes names, phone numbers, email addresses and more than 600,000 US drivers' licence numbers. 
  • Uber’s CSO at the time, disguised the “ransom money” as payment to a bug bounty program.
  • The payment was made in bitcoin, and hackers were asked to sign non-disclosure agreements, falsely stating that no data was lost. 
  • The incident was not disclosed to the FTC or the public until their new CEO, Dara Khosrowshahi, joined the company in 2017. 
  • Convicted on the 5th of October 2022, Sullivan is currently facing a maximum of eight years in prison for obstruction of justice and failure to report the breach. 
  • In a statement published in 2017, Khosrowshahi assured the Uber community that “trip location history, credit card numbers, bank account numbers, social security numbers or dates of birth” were not found to be downloaded by the hackers2.

News of Sullivan’s conviction comes on the heels of Uber’s most recent breach – an employee shared passwords to a hacker posing as a corporate IT worker, in an attack known as “social engineering”. This technique, SocialProof Security’s CEO Rachel Tobac says, is gaining popularity as a means of “gain[ing] a foothold within tech companies”3. 
 
After discovering the breach last month, Uber’s chief information security officer (CISO) Latha Maripuri assured employees that the hack was being investigated5.

 

 

What can you do to avoid data breaches?How can ISO 27001 help fight against data breaches? 

 “To err is human” – human error can always happen.  

But simple mistakes can be avoided. Maintaining an ISO 27001 compliant ISMS helps your company calculate and manage information security risks. In fact, data breach reporting is a key requirement of ISO 27001 compliance. 

Here are a few more benefits of becoming ISO 27001 compliant:

  • Improved data protection - Establish security controls to ensure the confidentiality, integrity and availability of data 
  • Immunity from penalties - Increase resilience to cyber attacks and avoid being fined for non-compliance   
  • Compliance with legality - Abide by legal, statutory, regulatory, and contractual obligations by securing information assets 
  • Efficient risk management - Ensure your ability to resume operations with minimal disruptions in the wake of a cyber attack 
  • Technology and compliance - Establish a centrally managed system to stay updated on and respond to vulnerabilities and security threats 
  • Competitive edge - Prove your commitment to information security and gain an edge over your competitors. 

How can DataGuard help you? 

Falling prey to data breaches can cause heavy fines and compromise the reputation of your company. Uber’s mismanagement of the 2016 breach cost them an additional $148 million, paid to settle a case filed by the 50 states and the District of Columbia6, for attempting to cover up the incident. 

Cyber attacks are avoidable, and we can help you reduce the risk of a data breach with our holistic solution for managing information security, InfoSec-as-a-Service 

  1. We have a 100% first-time pass rate for customers completing external information security audits. 
  2. We help digitise processes, automate manual tasks and compile a single source of truth for your information security.  
  3. We help to get you ISO 27001 certified and earn you a competitive advantage that helps to shorten deal cycles. 

Let us look after the technicalities of your organisation’s information security and free up valuable time for you to run your business. 

Connect with an ISO consultant 

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk