Potential cost of Uber’s breach under GDPR
Recently it was announced that Uber suffered a significant breach, reported to have affected 57 million of the ride-sharing apps users.
Without knowing exactly what cyber security measures Uber have in place, it is likely that they had reasonable measures to protect their data but suffered a breach nonetheless.
The General Data Protection Regulation (GDPR) consists of a series of rules and regulations designed to “protect and empower all EU citizens” and reshape the way organisations are storing and processing private data. Although already in law, the authorities allowed a grace period, to enable companies to get their IT infrastructure in check, before the enforcement date, which was set as 25th May, 2018. If found to fall short of the GDPR, companies can face fines up to £17 million or 4% of global revenue, whichever is the greatest sum.
The regulation accepts that companies may suffer a breach. However, GDPR also states that a company has up to 72 hours to report a breach and notify those who have had their data compromised. Not only did Uber suffer the breach in 2016 (over a year ago) and fail to report it, but it is also reported that they paid the hackers $100,000 in order to keep the breach secret. The main concern is that this could encourage other groups of hackers to target large firms, in the hope that they might get a large payday.
A city cyber law barrister, Dean Armstrong said, “As Uber hasn’t released its figures we can’t speculate as to the potential final cost of the fine, but it is fair to say the regulator would have come down hard and under the regulations, it would likely be in the tens of millions.”
However, away from the financial penalties, the reputational damage Uber could suffer from this hack could be their main concern. Concealing a hack such as this shows a lack of care for their customers and employees who have had their records leaked.
In the interest of fairness, it is worth noting that this breach and the subsequent concealment took place under a previous chief executive. Current CEO Dara Khosrowshahi, who took over in September this year, was behind coming clean about the leak and has vowed that “we are changing the way we do business.” After threats from TFL to revoke Uber’s license in London, it is the latest in a line of unsavoury headlines for the ride-sharing giant. With the amount of sensitive data, they are handling, they have a duty of care and now a legal obligation to process and store their customer and employee data in a transparent fashion.
Any business that wishes to operate in the EU or handle EU citizens data must now abide by the GDPR. These obligations transcend far beyond global powerhouses like Uber. The same rules are applied to businesses of all sizes, but importantly, whilst Uber could have afforded to pay the fines, many small and medium sized business could have been put out of business, not only through financial punishment, but also through reputational damage.
It is perhaps best to finish with Armstrong again who says, “this lesson will finally signal to other organisations that law-makers, and the public have had enough of poor data protection provision.” The GDPR is coming, it’s unavoidable, so you need to make sure that your organisation is prepared and playing by the rules.