News has just broken about another high-profile data breach and another Chief Security Officer losing his job as a result. Following on from the firing of the CIO and CSO of Equifax in September, the CSO of Uber, Joe Sullivan, has now been let go after the company was forced to admit to a significant data breach in October 2016.
Last October hackers managed to obtained login credentials allowing them to access data stored Uber’s Amazon Web Services account. They stole personal data belonging to 57 million Uber users, including names, email addresses and phone numbers, as well as the names and driver’s licence numbers of about 600,000 drivers in the United States.
It has not been reported, but the data breach probably resulted from a phishing scam on an innocent Uber employee. As this blog has repeatedly said, the weakest link in the corporate security chain is always the human one. This can happen to any company and is not the reason why Joe Sullivan lost his job. That resulted almost certainly from two other factors that have subsequently emerged.
The first of these is that the data stored on AWS was not encrypted. This is a basic error on the part of the company and meant that the hackers were not prevented from making use of the data they had stolen. Or rather, there was nothing to stop them from doing so.
The second reason for the CSO being fired was that the company paid the hackers $100,000 to delete the data and keep the breach quiet. This was clear breach of California state law, which requires companies to notify state residents of any breach of unencrypted personal information, and to inform the attorney general if more than 500 residents are affected by a single breach.
This action has opened the company up to fines by the regulator. It has also opened them up to civil lawsuits by users and drivers for failure to protect their data and exposing them to having their identities stolen.
Uber’s CEO, Dara Khosrowshahi, has confirmed that the CSO, along with a second employee, were fired because of the response to the data breach rather than the breach itself. This is a stellar warning to CSOs and CIOs everywhere of their responsibilities for prompt compliance action in the wake of a data breach.
Here at Transputec we have put together a suite of tools to help any company that is facing up to the issues surrounding data security, particularly in the light of the impending General Data Protection Regulation here in the EU from May 2018.
This suite of tools can help with protecting your data from a breach, quickly discovering and mitigating the effects of a breach and, finally, complying with regulatory notification requirements when all else has failed.
Check out the suite of GDPR compliance tools on our website.
Head of Cyber Security