Uber has been hacked: what’s your risk?
I’ll keep this brief.
Uber has been hacked. It’s not the first time a major corporate has been on the wrong end of a cyber breach, but it’s particularly pertinent for Australian readers: in less than three months, new mandatory reporting legislation begins for some companies which discover personal data has been stolen.
As we prepare to enter this new era of mandatory reporting, it’s worth looking at just what a hash Uber made of their data breach.
When breaches happen, lawmakers and customers want accountability. The best way of doing that is to show them you thought about the issue, planned for it, tested it and responded in the spirit of the law, as well as to the letter.
Having had the personal information stolen of more than 57 million users (and around 7 million drivers), Uber’s instinctive response was to try and cover up the hack. Bloomberg reports it paid hacking experts $100,000 to delete data in an effort to hide the breach. But if there’s one thing we know in the digital era, cover-ups do not work. The truth will out, and if there’s evidence of attempts to hide the truth, then regulatory, investment and reputation damage will follow.
Uber’s new CEO, Dara Khosrowshahi, (who has only been in the job a matter of months) said when he joined that his task was to reshape the culture of the disruptor. His public announcement about the breach goes some way to show he is serious about that, as does the removal of the CSO and legal advisor who may have known of the cover-up.
Australia’s incoming data breach laws are not exactly ahead of their time (California began legislating in this area in 2002), but the fact they are coming at all means breaches, like Uber’s, (or Domino’s, or Equifax, or any number of other badly-handled cyber security incidents) means boards and businesses should be looking carefully at their preparations in this area.
When breaches do happen, lawmakers and customers want accountability. The best way of doing that is to show them you thought about the issue, planned for it, tested it and responded in the spirit of the law, as well as to the letter.
Here are 4 things you should be doing now in preparation for the mandatory data breach notifications which come in on February 22, 2018.
Ascertain what personal information your company keeps, and ensure you have taken reasonable steps to protect it
Ensure you are monitoring social and digital channels before an issue occurs
Prepare and implement a data breach response plan, which should include a communications strategy
Test and practice your plan.
It sounds like work, and just one more thing your organisation will have to squeeze in over Christmas, but with the law changes looming, it needs to be done.
If you’d like some support in the preparation of materials before the February 22 deadline, drop us a line to find out more about our Mandatory Reporting packages.