Uber’s new CEO admits the company sustained a cyber-attack late 2016. It led to the theft of the personal data of 57 million users.
Uber also confessed it paid $100 000 for the hackers’ silence.
This is a new scandal, just a few months away from the introduction in Europe’s General Data Protection Regulation (GDPR).
In office for only 10 days, Uber’s new CEO Dara Khosrowshahi states he learned about the piracy only recently. Or so he recently stated: late 2016, a Uber Github server was hacked. Personnal data of 57 million clients was stolen (names, emails, phone number). The driver’s licence numbers of 600 000 drivers were also stolen.
“Uber’s response was irresponsible”
Uber adds no sensitive data was stolen (credit card number, social security number etc…) and the two perpetrators were immediatly fired. On an even more awkward note, the company confesses it paid off the two hackers $100 000 to ensure their silence while negotiations were underway on personnal data use.
“Uber’s response was irresponsible. By paying off the criminals, the company creates a dangerous precedent” stated David Emm, cyber-security researcher at Kaspersky Labs.
Uber would have risked a 260 million fine with the GDPR…
This episode takes place only months away from the enforcement of the General Data Protection Regulation (GDPR), due in May 2018. European sanctions will be toughened in the event of negligence in the protection of personnal data.
Christophe Badot, French CEO of Veronis: “Once again, we see that paltry sanctions do not encourage companies to protect their data. When the GDPR is enforced next May, companies dealing with EU citizens’ data will face far more severe sanctions. They will need to respect a 72 hour disclosure period after data theft. Had the GDPR been enforced then, Uber would have had to pay a fine up to 260 million dollars (4% of its 6,5 billion revenue in 2016).”
Translation by Lisa Korrigane