Latest interesting article by Marc R Gagné Senior Privacy and Data Advocate, Cyber Intelligence and Director @ Gagne Legal, Director
For every dysfunctional company, there’s a turning point beyond which there’s no denying where things are headed. At that point, there’s no covering up any longer what everyone has come to know as the truth: the business is in serious trouble and nothing short of a complete overhaul will save its skin.
For Uber, that point did not come quickly. Throughout the past several years, they’ve blundered their way through a series of bad mistakes and have still always come out as the world’s leading ride-hailing company.
Uber Past Transgressions are Serious Enough…
Uber’s turning point did not come when they inflicted surge pricing on people attempting to escape the area of a hostage crisis in Sydney.
It did not come when they allowed a rapist to drive for them just two years out of prison, resulting in the rape of a passenger.
Nor did they reach that point when the world discovered that, rather than promoting a modern, startup culture that encouraged innovation and diversity, Uber was actually a hotbed of toxicity, especially for women.
Even when London banned Uber for not playing nice regarding driver background checks and the company’s approach to reporting crimes, Uber did not flounder or change their ways.
None of these offences did much to reduce the company’s dominance in the ride-sharing industry which they helped create. Nor did they appear to have prompted leadership and management to rethink their ways.
…But this Data Leak May Be the Last Straw
But this last offense—the monstrous, unforgivable data leak that occurred this past week—may finally be the last straw. For privacy advocates and security experts, the public’s response and crushing significance of this latest of Uber’s transgressions is a small victory… for it means the world may finally be waking up to the danger of companies who don’t take data security seriously.
Uber’s Monstrous Data Leak
In the first half of 2016, hackers stole sensitive personal information on 57 million Uber riders and drivers. Phone numbers, names, and email addresses were hacked and then the hackers demanded a large sum of money to delete their copy of the records.
This wasn’t the first time such a leak had happened. Uber already had a much-publicized data breach back in 2015, when their systems were hacked by a third party, resulting in the names and license numbers of tens of thousands of their drivers being released.
Their response to the earlier leak was to issue a statement on their blog, indicating they were sorry for the inconvenience.
Anyone who knows the seriousness of a data breach knows that it’s much more than an ‘inconvenience’ when your personal data is hacked. Perhaps it’s just that sort of flippancy over the matter that led to conditions where this latest breach occurred, in 2016.
The (Unforgivable) Way they Handled the 2016 Breach
It’s not just that Uber didn’t learn from their 2015 data hack. It’s not just that they weren’t able to change company culture after that or alter their organizational structure in a way that led to placing more priority on data security and privacy.
It’s the way the handled this latest breach that really tilts the scale.
Turns out, as reported by The New York Times last week, that Uber, upon discovering the hack, tried to cover it up. They paid that ransom to the very hackers that stole the data. Then, they cooked their books to make the $100,000 payment look like a service fee for, get this: a data security firm!
That’s right: they falsified their accounting records to make it look like they paid a top data security firm to test their software by trying to hack into it. They even had the nerve to make the hackers sign a nondisclosure agreement.
Never mind that state and federal laws were broken. It’s a serious breach of trust, the death knell for any modern company where transparency and trust are key elements of success. How can we take CEO Dara Khosrowshahi’s word that honesty and transparency appear anywhere at all on his company’s agenda? Uber didn’t even notify officials or the affected people whose data was stolen. They seem to have learned nothing at all since 2015… not even that they should follow the law. The tides will change soon for companies like Uber when the law will get some teeth in it and finally catch up with what’s actually taking place with privacy and cybersecurity matters today.
Marc Gagné CCIE, CHTI, CCII, CCTA, CIPP/G/C, CTFI, MAPP
Senior litigator | Principal du litige
Services Juridiques Gagné Legal Services
275 Slater St, Suite 900
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at or on Twitter: @SimonCocking