Traffic > Transit

Uber has been a very, very naughty boy

Instead of reporting a data breach, it paid hackers to keep quiet

Every breath you take, every move you make, every bond you break, every step you take, Uber will be watching you. SCREENSHOT VIA UBER

If you wanted to use a movie quote to describe ride-sharing giant Uber right now, then a scene from Monty Python’s 1979 cult classic Life Of Brian would deliver the perfect line for your use. In it, Terry Jones, the film’s director, plays the mother of Brian, a young man mistaken for the Messiah. Addressing a crowd hoping to catch a glimpse of their idol, the mother declares: “He’s not the Messiah, he’s a very naughty boy.”

Uber, once hailed as the savior of worn-out taxi users and stressed commuters, has just admitted that it paid hackers $100,000 to cover up a data breach affecting 57 million of its users in late 2016, and this is just the latest in a number of negative headlines surrounding the American ride-sharing giant. Can the company hang on to its self-made halo, or is it already on the highway to hell?

While we don’t know exactly at what time the hackers carried out their attack, the data breach that occurred at Uber toward the end of last year was the type of security incident that you would get the CEO out of bed for at 3am. It was that bad. The perpetrators had managed to access user data stored on an Amazon Web Services account and successfully made off with names, e-mail addresses and phone numbers of millions of Uber riders from around the world, as well as 600,000 license numbers for drivers in America.

Imagine criminal hackers getting access to your movements. It's both creepy and scary. SCREENSHOT VIA UBER

When a breach like this occurs, the normal procedure would be to stop the attack, assess the damage and then file a public disclosure. It may not be a pleasant thing to do for a company—especially not for one as big and prominent as Uber—but it’s the right course of action and often also a step required by law. Most states in the US have rules that require companies to notify regulators and consumers of a serious data breach within a short period of time after it occurred.

Uber, for reasons only its management fully knows, decided not to say a word about the potentially serious incident until now. Instead, the company paid the very hackers that had carried out the attack $100,000 to destroy the stolen data and keep their mouths shut, a rather unusual step to take in the opinion of many. Uber chief security officer Joe Sullivan and a lawyer who reported to him at the time of the breach were fired because of how they handled the incident, according to Bloomberg, and the company has now hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center in the US, as an adviser, presumably in a bid to tighten up security and scare off future hackers.

Trust is important in a world where more and more companies ask for our data, and it is especially important when dealing with a company like Uber

Closing loopholes and improving data security alone won’t be enough though, especially as even new company CEO Dara Khosrowshahi, the man tasked to help Uber out of the valley of dark news, seemingly waited for over two months before finally disclosing the breach. Trust is important in a world where more and more companies ask for our data, and it is especially important when dealing with a company like Uber, which has a reputation for being rather gung-ho in its efforts to disrupt the transport industry and change the way we travel.

If we are to allow a brand like Uber to play the role of the maverick that barges past the regulator and proceeds to write a new book of rules—as the company undoubtedly did in the process that ultimately created the TNVS (Transport Network Vehicle Services) system which saw the Philippines becoming the first country in the world with a dedicated framework for ride-sharing—then we must be sure that the company is fit and proper to do so. After all, many local defenders of Uber keep pointing out that the Silicon Valley behemoth is better and more reputable than the old taxi owners and the local regulator. With great power comes great responsibility, as they say, and Uber is aiming for great things with its dream of being the one and only transport provider you’ll ever need. After this data breach and the delay in reporting it, can we still trust Uber to handle our personal details and credit cards, or that the company would be honest and fast-acting in case a similar incident took place again?

If we can’t place sufficient trust in the company to handle our data correctly and be honest with us (the users), then why should we bother involving Uber at all?

Frank Schuengel

Frank is a German e-commerce executive who loves his wife, a Filipina, so much he decided to base himself in Manila. He has interesting thoughts on Philippine motoring. He writes the aptly named ‘Frankly’ column.