Commenting on news of the Uber data breach today, which affects about 57 million people and 7 million drivers, Joe Hancock, Cyber Security Lead at Mishcon de Reya, says:
“Uber has known about this data breach for a year and while it's not uncommon for companies to avoid reporting hacks when they happen, this may fall foul of US breach notification laws.
“Uber encountered issues when it failed to report breaches in 2014. European companies should take heed from this example and the implementation of the new General Data Protection Regulation will also require notification of affected users for sensitive breaches.
“The lack of reporting by such a high-profile company is sure to drive further regulation. Many governments seem to be taking the view that businesses cannot be trusted on cyber and Data Protection issues.
“Cyber Security professionals should stand up to prevent companies from concealing these sorts of breaches in the future. There is the suggestion that some members of the security team at Uber may have been involved in a cover up. After the Equifax breach, which raised difficult questions for executives, there is no longer any doubt that cyber issues will cost senior directors their jobs and reputations if the wrong decisions are made.
“The mechanics of the hack are not sophisticated and restrictions around account access, such as requiring two factor authentication, may have prevented it. There is also little justification for such a large archive of user data to be left in situ.
“Attacks on cloud systems are now common and the cloud remains a blind spot for many companies that rely on it without necessarily understanding how to properly secure it.”