The typical arc goes something like this:
The hack is discovered. Immediately thereafter, the company discloses the pertinent details about the hack, including the number of users impacted, and specifics on what data was compromised. They apologize, tighten up their processes, and often pay for a year (or more) of free credit monitoring for users who were affected by the breach.
All they while, they’re working with law enforcement to get to the bottom of who hacked them in order to bring the perpetrators to justice. That’s not the path Uber chose to take when they were hacked two years ago.
Instead, when the hackers contacted Uber and demanded $100,000 to reveal how they compromised Uber’s system, the company quietly paid up, and said the payment was a very large bug bounty. A year later, the company informed the users who had their data compromised.
Needless to say, that’s fairly far removed from the established best practices. When the details came to light, the EU took action.
Recently, the UK’s ICO (Information Commissioner’s Office) and its data protection authority in the Netherlands both announced a decision to fine Uber for the disclosure delay. The UK fine amounted to £385,000 and the fine from the Netherlands amounted to €600.000.
In all, the breach impacted some 2.7 million users in the UK and nearly 200,000 in the Netherlands.
A spokesman from the Information Commissioner’s Office had this to say about the matter: “The incident, a serious breach of principle seven of the Data Protection Act 1998 had the potential to expose the customers and drivers affected to increased risk of fraud.”
Ultimately, the fines amount to little more than a slap on the wrist. Uber got off easy in that regard, but hopefully, the slap was hard enough that should another such incident occur, they’ll choose to handle it very differently.