Uber pays $148m fine for data breach cover-up

uber app

Ride-hailing firm Uber is paying $148m (£113m) to settle legal action over a cyber-attack that exposed data from 57 million customers and drivers.

The massive breach happened in 2016 but Uber sought to hide it from regulators.

The company paid the hackers behind the intrusion $100,000 to delete the data they grabbed from Uber’s cloud servers. 

The payment settles action brought by the US government and 50 states over Uber’s failure to disclose details of the data loss.

Uber revealed some information about the breach in November 2017 and admitted that it should have been more open about the attack.

“None of this should have happened, and I will not make excuses for it,” said Uber’s boss Dara Khosrowshahi at the time. Two security officials were fired for their handling of the incident.

The personal data from 57 million Uber accounts also included information about 600,000 driving licence numbers. 

As well as paying the fine, Uber has also pledged to change how it operates, to prevent it falling victim in the same way again. It will also be required to submit regular reports on security incidents to regulators. .

Legal action brought by drivers, customers and the cities of Los Angeles and Chicago over the breach is still ongoing.

Speaking about the fine David Emm, Principal Security Researcher at Kaspersky Lab said: “It comes as no surprise that Uber is facing a hefty fine following its breach last year when hackers were paid $100,000 by the organisation to keep it quiet. In a breach where 2.7m people in the UK were affected, it was a reprehensible offence to pay off hackers to avoid public backlash.

Customers that entrust private information to the care of a business should be safe in the knowledge that their data is being kept in a secure manner. For example, British Airways handled its data breach in an exemplary manner, ensuring it took the necessary precautions to inform its customers in response to the breach. 

Businesses need to ensure that they have sufficient security solutions in place, and that if they do face a data breach, they inform their customers and supply them with information to assist them during that time. It is also crucial that businesses review processes regularly to ensure that they don’t pose a security risk.

Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures that businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. Alongside this, all passwords should be protected using secure hashing and salting algorithms.

The best way for an organisation to combat cyber-attacks is by putting in place an effective cybersecurity strategy before that company becomes a target.”