The data breach at the ride hailing app Uber should be a warning to all businesses, says Ekaterina Khrustaleva, COO at the AI platform ImmuniWeb.
A data breach, especially a major one, is a nightmare scenario for large enterprises and small businesses alike because it can lead to serious consequences – from reputational damage and client loss to financial setbacks and legal repercussions. The fear of consequences may prompt some organizations to remain tight-lipped about a breach to avoid the negative impact that results from publicly disclosing a security incident. But failure to report a data breach could entail not only multi-million dollar fines but criminal charges as well.
Earlier in October, Joe Sullivan, a former chief security officer at Uber Technologies, was found guilty in the United States of obstructing proceedings of the Federal Trade Commission (FTC) while the company was under investigation for prior failures to protect data and misprision of a felony related to failure to disclose two data breaches in 2014 and 2016. This appears to be the first time when an executive had faced a criminal trial over a data breach.
The case is related to the 2016 Uber security incident where hackers gained access to the company’s systems and stole the data of 57 million customers and drivers. The attackers then contacted Sullivan directly to demand a ransom in exchange for the deletion of stolen records. Instead of reporting the breach as required by law, Joe Sullivan paid the hackers $100,000 in bitcoin through Uber’s “bug bounty” program and then had them sign non-disclosure agreements.
A sentencing date has not yet been set, but the ex-CSO faces a maximum of five years in prison for the obstruction of justice charge and up to three years for the misprision charge.
The breach came to light only in November 2017, after Uber had publicly disclosed it. In September 2018, the ride-hailing company paid $148 million to settle claims that it intentionally concealed the massive data breach.
This case is a stark reminder that the cover-up is often worse than the crime, nevertheless, many security professionals are ready to keep a security incident hidden. In fact, more than half (61pc) of business owners admitted to concealing a breach, and one-third (32pc) of respondents said that their organization experienced a six-figure breach last year.
Meanwhile, 78pc of C-suite executives claim that they would be willing to pay a ransom. 56pc of respondents said they would be willing to pay over $100,000 to resume operations.
Most organizations perceive a data breach as one of the main threats to their business, another report shows. Although more than a third (76pc) of C-level executives believe that a data breach is inevitable, the majority (90pc) of those surveyed admitted their organization is missing at least one resource that would help them defend against a severe cyber-attack, with the most common missing component being advanced technology (59pc).
There are also human factors at play, with senior management reluctant to accept advice (46pc), a lack of budget (44pc), and a lack of people resources (41pc).
The fear of losing the job may contribute to the reluctance to report a data breach to higher-ups once it occurred, as one-third of CEOs state that they would terminate the contract of those responsible for a data breach. At the same time, more than half of office workers admit they would reconsider working for a company that had recently experienced a cyber-incident, with only a third saying they would be unconcerned.
In 2022, the average data breach costs reached $4.35 million, a 2.6pc rise from 2021 amount of $4.24 million. The potential costs associated with a data breach is extremely high, as these can include not only remediation costs but also substantial penalties for failure to comply with the data protection rules.
Here are just a few examples: in July 2019, the credit agency Equifax agreed to pay $575 million in a settlement over the 2017 data breach that saw the personal and financial information of nearly 150 million people compromised. In July 2022, US mobile communications giant T-Mobile agreed to a $350 million settlement over last year’s massive data breach that exposed the personal information of millions of users. That same month Chinese ride-hailing giant Didi Global had been fined 8.026 billion yuan ($1.2bn) for violating 16 cyber security laws in China, including the network security law, data security law and personal information protection law.
That being said, it’s nearly impossible to eliminate all the risks that can lead to a data breach, but organizations can minimize them by following the best cybersecurity practices. These include building a data breach-preventing strategy, limiting access to an organisation’s network and most valuable data, implementing a third-party risk management program, conducting employee security awareness training and regular website and mobile security audits, keeping systems/software up to date, and developing a data breach response plan. An efficient incident response plan can help an organization minimise breach impact, reduce fines and negative publicity, and recover more quickly from a security breach.
