Yesterday, riding-sharing giant Uber agreed to pay $148 million to settle cases across the U.S. concerning their 2016 data breach. The breach affected 57 million customers and 600,000 drivers. Email addresses and mobile phone numbers were exposed. Yet size is not what made the Uber breach and this subsequent settlement so attention-grabbing. Instead, the Uber breach stands as one of the most infamous cybersecurity coverups of the modern digital age.
Travis Kalanick, CEO of Uber at the time of the breach, and his senior leadership chose to pay the hackers responsible $100,000 to keep the incident quiet and destroy the stolen data. Not until a new CEO took the helm of the company did Uber reveal the breach. The disclosure provoked a national scandal and a deluge of lawsuits.
In a statement on the recent settlement, Xavier Becerra, Califonia’s Attorney General, summarizes the incident succinctly: “Uber’s decision to cover up this breach was a blatant violation of the public’s trust. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law…This settlement broadcasts to all of them that we will hold them accountable to protect that data.”
But what can enterprises learn from this sordid story? How will Uber’s settlement change the culture of cybersecurity coverups? And if the culture does change, by how much?
The Culture of Cybersecurity Coverups Must End
Data breaches appear to be a part of daily life in the digital marketplace. However, quantifying the number of data breaches experienced each year has proven a challenge for security professionals.
Instead of reporting a data breach, many businesses choose to follow the Uber strategy: conceal evidence of the breach and pay off the hackers. Often, these cybersecurity coverups stem from fears of dealing with the financial fallout of a breach. On average, a data breach can cost nearly $4 million. SMBs on average face fees, penalties, and remediation costs of around $2.5 million. These costs don’t even cover the potential costs of discovered compliance failures often exposed in post-breach investigations.
Therefore, even with new laws like GDPR mandating higher penalties for cybersecurity coverups, enterprises are still making cost-benefit analyses on whether to disclose a breach. The Uber settlement shows those businesses the long-term costs of a cover-up; if discovered (increasingly more likely as more digital connections are forged), the price will significantly outweigh the short-term savings. Instead, fortifying their network with threat detection and having a strong incident response plan will actually save them more in the long-term…and may even deter hackers in the future.
The Penalties for Cybersecurity Coverups Will Only Get Worse
The Californian Consumer Privacy Act of 2018 is a herald of times to come. More serious and far-reaching cybersecurity and data privacy laws are coming to the U.S, just like GDPR came to the EU. Every cybersecurity expert knows it will happen eventually. The question is when not if.
The $148 million Uber paid in its settlement might end up being a slap on the wrist compared to what U.S. enterprises will face in the future. GDPR already mandates nearly $22 million or 4% of annual global revenue (whichever is higher) for failure to comply with its data breach reporting requirements. Depending on your enterprise’s size, this could be a ruinous cost.
Further, blatant cybersecurity coverups are going to foster consumer and client resentment and even worse drops in business as higher expectations of data security become mainstream. The old tactics are dying. This is the time to evolve before something devastating happens.
In the End, the People on Top Suffer
Recently, Kaspersky Lab found 32% of corporate data breaches in North America led to the firing of C-Level leaders. At the large enterprise level, 27% of those C-Level leaders were senior executives and not affiliated with IT departments.
This might seem like an argument for cybersecurity coverups, but it is, in fact, the opposite. Even if your enterprise properly deploys and maintains a threat detection or SIEM solution, there is still a chance you could suffer a breach. But what happens then will help your board of directors and shareholders know if you are the right leader for the job.
Covering up a data breach indicates an administration marked by failure and cowardice. Having a strong incident response plan and guiding the enterprise through perilous waters shows true leadership and forethought.
Between those two options, we know who we’d want in charge.
Latest posts by Ben Canner (see all)
- 5 Key Security Analytics Capabilities for Security Operations Centers - October 17, 2019
- 40 Percent of Security Practitioners Don’t Report to the Board - October 15, 2019
- What Do SIEM Components Actually Do For Enterprises? - October 10, 2019