In mid-September, rideshare company Uber Technologies experienced a security breach by a teenage hacker who simply wanted to flex their digital know-how. This wasn’t their first data breach. In November 2016 Uber was hit with a data breach that exposed the personal information of 57 million users, including drivers and passengers. It took over a year for the company to disclose the mishap and in the end paid up a hefty $148 million for violating data breach disclosure laws. This wasn’t the first time that Uber had been hit: the company was already participating in an investigation for a 2014 data breach. The acting Chief Security Officer, Joe Sullivan, gave sworn deposition that Uber was taking steps to improve their digital security. We now know that he paid off the hackers to delete the stolen data, sign a non-disclosure agreement, and hoped that it would all just go away. What most businesses don’t realize is that these actions amounted to “a failure to report a felony, according to the DOJ” and he was subsequently convicted of obstruction of proceedings of the FTC for failing to amend his testimony about Uber’s security conditions."
Many companies are aware of the dangers of housing data, but we are witnessing a pivotal shift in the fiduciary responsibilities of a business. Data and information have always been seen as a transaction: a company needs your money and your personal identifying information for you to receive goods, services, and experiences. Consumers casually give it away without considering the consequences because they trust the company. After all, if they are big and wealthy; we must assume they are doing things right. What businesses must now consider is that the implied trust in collecting personal identifying data now binds them and makes them responsible for putting a consumer’s interest ahead of their own “with a duty to preserve good faith”.
Uber is an example of what that means. It was cheaper for them to pay off a hacker than upgrade their data protection and cybersecurity infrastructure. Their strategy was to “keep their money” and risk overall security of the company; placing profits over the customer data they said they would protect. Not only did they not learn their lesson the first time, but they also chose to do it again. What is now spelled out for businesses is that it is no longer acceptable to maintain this strategy because it isn’t the company’s security they are risking: it is the consumer’s security they are putting at risk. Throw in there that if you are lying to the FTC and a company is publicly traded, you are essentially lying to the investors and shareholders. Valuation of a publicly traded company is partly derived from the amount of risk it holds. Multiple data breaches with the threat of costly ransomware payouts, legal and compliance fees, the cost of PR and brand damage as well as loss of consumer trust is the definition: too much.
Somewhere on the dark web was information about an individual who worked for Uber; their username and password were available for sale. This is where organizations think they are safe: a VPN, multifactor authentication, anomaly detection, and security training are in place and protecting their information. Where companies go wrong is they have a lack of understanding of how much information they are collecting, what they are doing with it, how long are they holding on to it, and where does it end up?
The tech industry calls this ‘dark data’, information that they are collecting and holding onto, storing it in awkward, disorganized, and unanalyzed corners of their company’s network with no idea how and if it is protected. The collateral damage of dark data is that consumers don’t know where information they have ‘input’ on a form ends up: is it a screenshot that is shared between teams on the internal chat or is it an excel or PDF that ends up sent through an email as a lead? It might even be data that is sent as a pile of information to the web department because the company is experiencing technical difficulties on an app or form. What employees don’t realize about dark data is that infiltration can happen inconspicuously from something as harmless as taking a snapshot on your phone of a revenue report because your internet went down and you have to take your next Zoom call from your phone. Imagine an employee needs to run out to pick up their kids from school and while they are waiting, they take a call from an account manager who shares a screenshot of a contact in Salesforce. The account manager asks the outside rep to call this account, and they are now accessing their SharePoint from unsecured wireless on their phone rather than a protected digital device on a VPN.
The good news is that the hacker only seemed to be a digital Ferris Bueller, taking the keys to the Ferrari and enjoying a day trip to the city. The bad news is that the consequences of a cybersecurity breach have long-reaching tentacles. Stock shares took a 5% dip on news of the hack, shareholders lost money and it triggered a stock market reaction. Had data and information been stolen it could be worse. Enterprise businesses should be shaking in their boots: where is information being held, for how long, who has access, and is there a clear understanding of the do’s and don’ts of sharing? Who is monitoring the data, what is being monitored, and is it effectively covering everything? What is the fate of a company, or even an individual within the company, when they aren’t invested in answering these questions?
The Uber hack is a wake-up call that data governance and protection are essential. An organization’s policies on how they handle data, the process and roles of those who encounter the data, and what requirements and credentials are in place highlight the failure of Uber. Compliance management is a challenging task and the creation of new content channels, messaging apps, collaboration tools, file sharing, and social media make it hard to stay ahead of the curve.
Veritas offers an integrated portfolio of capabilities that synthesizes intelligence from data sources to deliver insights to minimize risk. We understand that data management and regulation is a growing concern for companies and the legal obligation and ramifications are becoming stricter. We know that cyber breaches will continue to get worse and guarding information is the most important goal.
Our data compliance and protection solutions are built knowing that humans are not infallible. That is why statistics often state that more than 80% of data breaches are due to human mistakes. Veritas solutions prioritize multiple layers of security safeguard to protect your data and to limit attack surface with immutable storage, system hardening, access management controls, and data encryption. Our technology includes full data ecosystem visibility to locate and protect all those dark areas in your environment. Veritas provides powerful anomaly detection and malware scanning to alert for suspicious or out of the ordinary activity. Veritas Data Insight helps organizations improve unstructured data governance to reduce costs, reduce risk, and provide actionable intelligence into data ownership, usage, and access control. Additionally, we provide rapid, flexible, and hybrid recovery, along with our industry-leading orchestrated, non-disruptive recovery rehearsals so that you can recover quickly, when it matters most.
The concern isn’t the fact that Uber suffered a data breach; it’s that they suffered multiple data breaches with no consideration to make improvements. Businesses, like Uber, are choosing to protect profits over the welfare of consumers. Government regulation is quickly getting involved. It is only a matter of time before our economy is greatly affected by the choices enterprise corporations make. Decisions don’t have to be complicated, however; solutions like Advanced Supervision and Information Classifier help simplify the visibility and offer a comprehensive data protection option for a complex enterprise ecosystem. No other provider comes close to matching our scale and versatility for enterprise backup, recovery, and data management.
The next step is to ask yourself if you’re covered. Do you have enough data protection? Is it the right kind and does it do what you need it to do? How sure are you?
Is your organization ready to recover from a cybersecurity attack? Click here to begin our assessment to find out.