Uber Admits to Concealing Data Breach

According to a report published by Bloomberg on 22nd November, the ride-share giant Uber has admitted that former executives had concealed, for more than a year, a data-breach which compromised information of 50 million customers. The hack, which occurred in October 2016, compromised a GitHub repository which contained names and contact details of 50 million customers worldwide as well as 7 million drivers. Rather than notify affected parties of the breach the company decided instead to pay a ransom to the hackers to delete the affected information and keep quiet.

This story is disturbing on many levels.

Transparency is essential if consumers and business are to maintain trust in cloud computing and eCommerce. Instances of data breach should be notified to all affected parties as soon as they become known so that they can take any remedial action that they believe is appropriate.

The fact that executives of a major global corporation, including its former Chief Security Officer and former Chief Executive chose to pay a major ransom to hackers instead of disclosing the breach raises serious questions about the culture of the organisation and the moral compass of the individuals involved. The company and its executives have exposed themselves to civil litigation from affected parties as well as the possibility of criminal sanction.

Beyond this, the mere fact that the company hosted live customer and partner data on a GitHub repository indicates gross carelessness in the company's software development and testing processes. Developers can easily create simulated data for testing purposes and under no circumstances should be storing live customer or partner data on repositories outside their control.

It is also disturbing whenever hackers are rewarded financially for executing this type of criminal activity. This applies not only to payment of ransom in cases of data beach, but payment of ransom for hijacking of computers with ransomware, which is on the increase.

It is a good sign that Uber, under new management, has finally come-clean and accepted responsibility for its previous actions. But this might be too little too late given the fact that security remains one of the major impediments to wider adoption of cloud computing by business. We can hope that the current class-action law suit being staged against Uber in relation to this matter will provide sufficient disincentive for other companies to follow suit.