Uber Pay $148m Penalty For Breach Cover-Up

Attempting to cover up a data breach was a failed mission for Uber, who has announced that it has agreed to a $148m settlement with Federal Trade Commission (FTC). The fine for its 2016 data breach and cover-up sends a strong message not only to Uber but to organisations across all sectors that data breaches, whether disclosed or not, come at a hefty price.

“Companies can no longer get away with poor cybersecurity and sweeping incidents under the carpet,” said Rob Shapland, principal cybersecurity consultant at Falanx Group. 

"I would expect many companies will have tried to hide the fact that they’ve been breached, especially given the size of the potential fines. This case, and Uber’s punishment for not revealing that the breach had occurred, will hopefully give companies further warning of the risks posed by cyber-attacks, so that they take the security of the data they hold more seriously.”

In November 2017 Uber shocked the cybersecurity community when it confessed that it had indeed attempted to hide the fact that data of 57 million users was stolen. 

In response to the settlement news, Tim Erlin, VP at Tripwire, said, “There’s no doubt that the cover-up behavior was impactful in how this settlement played out. It’s a good reminder to all organisations of how a good breach response plan can help avoid poor decision making in the midst of an incident.

The fine is huge, which has some commentators wondering whether it is intended to set a precedent in order to deter other organizations from attempting to cover up future breaches.

“Trying to keep [a breach] quiet will of course be an idea by some senior ranked employees. However, this is inevitably the wrong thing to do, and Uber is surely being made an example of what not to do,” said Jake Moore, security specialist at ESET.

“Being open about customer data breaches at the earliest opportunity is not only ethically the right thing to do, but helps protect people from a multitude of other attacks which could follow as a result.”

Moreover, the fine speaks to the financial risks of compliance mismanagement. That a breach of such magnitude was able to happen was problematic enough, but paying the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident, was “A blatant disregard for governance and compliance, putting customers at risk,” said Pravin Kothari, CEO of CipherCloud.

“The takeaway lesson is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”

Infosecurity-Magazine

You Might Also Read: 

Uber’s U-Turn On User Watching:

 

« Facebook Could Face A GDPR Fine Of $1.63bn
Russia Stands Accused Of Global Hacking Campaign »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

ComCode

ComCode

ComCode provides consulting services and solutions in the area of digitization and cyber security for mid-sized and big businesses.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

SecureAppbox

SecureAppbox

SecureAppbox provide solutions that protects the communication of sensitive data as well as advice on data security and compliance with GDPR.

e-Lock

e-Lock

e-Lock services include IT security consulting and training, security systems integration, managed security and technical support.

Uniwan

Uniwan

Uniwan is an IT services company specializing in networking and security.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

ETSI

ETSI

ETSI is a European Standards Organization dealing with telecommunications, broadcasting and other electronic communications networks and services including cybersecurity.

101 Blockchains

101 Blockchains

101 Blockchains is a professional and trusted provider of enterprise blockchain research and training.

Jandnet Recruitment

Jandnet Recruitment

Jandnet Recruitment is a small specialist company working in the IT sector. We recruit across all IT disciplines including cyber security and digital identity.

Packetlabs

Packetlabs

Packetlabs specializes in penetration testing services and application security.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

LoughTec

LoughTec

LoughTec secure, manage and connect IT infrastructure for businesses and organisations throughout the UK and Republic of Ireland.

QANplatform

QANplatform

QANplatform is a Quantum-resistant hybrid blockchain platform.

Axiotrop

Axiotrop

AXIOTROP is a Cybersecurity firm offering leading services in assessment, remediation, and validation to protect the confidentiality, integrity, and availability of regulated information.