November 29, 2017
When a breach is announced most security & risk pros are not too surprised. Yet Uber found a way to make the industry raise our collective eyebrows when it was discovered that Uber not only suffered a breach in late 2016 and failed to notify affected parties, but leadership appeared to take things a step further by engaging in a conspiracy to conceal the event by paying hush money to the hackers/extortionists and hiding it from the General Counsel and Board.
Shady Company That Does Shady Things
Security practitioners wondering how Uber’s security leaders could behave the way they did and expect to get away with it need to take into account the broader picture of Uber’s behavior. Uber’s security leaders took the actions they did because: a) they expected to get away with it and b) it aligned with Uber’s corporate culture and c) it followed the pattern of how Uber handled issues. Here’s the list of Uber’s transgressions from 2017 alone:
|Susan Fowler Blog Post||February 2017|
|Alphabet (Waymo) v. Uber||February 2017|
|Uber App fingerprinting violates Apple app store policies||April 2017|
|Eric Holder Report||June 2017|
|Uber evades Portland Officials||September 2017|
|Board Investigation discovers coverup of 2016 Hack||November 2017|
It’s Not The Crime; It’s The Coverup
Consumers won’t be surprised that there are people out to get your company and their data. There may even be room for empathy in a case where an employee makes a mistake and exposes data. We’re all human, right?
Build your breach response on how you can do right by the individuals whose data you’ve mishandled or lost, and you start the process of getting back on your feet. Build your breach response on self-preservation and denial, and you’ll dig yourself into a deeper hole as the public questions your competence and intentions. Even the perception of impropriety is enough to cast doubt and trigger further scrutiny from multiple fronts – customers, journalists, regulators, state attorneys general, and more.
Uber’s new CEO’s statement about the breach is a good attempt at managing this crisis. It is clear in stating what happened, who is affected, what is being done, and does not provide excuses. However, what positives exist in this response is overshadowed by Uber’s original response (the circus of allegations include: track down the two individuals, have them sign non-disclosure agreements, pay them $100,000 USD to delete the data, hide the payment as a bug bounty).
Customers won’t remember what you said; they will remember how you made them feel. Why does this matter? Emotion is the most important factor in your customer relationship. It motivates attention and drives action.
The Long Tail Of Breach Costs Will Hurt The Most
If we look at the major categories of cost of a breach, Uber has gotten a good head start on fulfilling each category and it’s only been about a week since public disclosure.
1. Response and notification
- Uber has indicated that they will directly notify affected drivers by mail or email and will offer them free credit monitoring and identity theft protection.
- Uber has hired Mandiant to investigate.
2. Lost employee productivity and turnover
- Uber’s CSO and an in-house attorney are out.
- Potential added cost to recruit future candidates.
3. Legal and settlement
- To date: at least 12 lawsuits filed.
4. Regulatory penalties
- Pending FTC settlement over a 2014 privacy violation that the 2016 breach may complicate.
- At least five US State Attorney Generals have launched investigations; violating privacy and breach notification laws is an area of interest.
- Authorities in the UK, Spain, Netherlands, Italy, Australia, and Philippines have indicated investigations to come.
5. Remediation and audit
- None reported at this time. These costs are typically part of the long tail.
6. Brand recovery
- Unknown. Uber has weathered worse, and this breach is not their first rodeo. Each consumer will have their own tipping point for giving up on Uber. The wild card — and most costly to win back — will be vocal influencers who convince their network, family, and friends to leave Uber for alternatives. Free rides won’t compensate for company culture and values that go against what customers want to support.
7. Other liabilities
- Potential hit to Softbank deal; maybe renegotiations, but no final decision yet.
- Trial delayed in trade secret dispute between Uber and Waymo.
Breaches take time to resolve, and the nature of a breach investigation guarantees that additional details will emerge. Lawsuits stemming from a breach can take years to work through the legal system, and regulatory bodies may take months or years to investigate and hand down rulings. Starting off breach response with mistakes ensures that every new detail haunts the company, reminding the public, regulators, and investigators about its missteps. Uber has their work cut out for them, especially with its plans for a 2019 IPO. This ride is far from over.