Uber Breach Further Stresses the Need for Breach Reporting Laws in Canada

As the year quickly comes to a close, the need for mandatory breach notification and reporting requirements in Canada couldn’t be clearer. After Canadians were left in the dark for quite some time on the impact of the Equifax breach on Canadians’ personal data, it is once again unclear how another major breach affects Canadians – this time a year-old hack that compromised Uber customer data. Although the Office of the Privacy Commissioner of Canada (OPCC) has not yet opened a formal investigation against the ride-sharing company, the regulators have asked Uber for more information about the security breach that resulted in hackers accessing the data of 57 million users stored on a third-party cloud-based service. The information included names, email addresses and phone numbers, and although it is known that the driver’s licenses of about 600,000 U.S. drivers were taken, Uber still hasn’t provided numbers for Canadians.

Security professionals have raised alarms about Uber’s careless development team and poor security practices, while privacy advocates are raising alarms at how Uber handled the breach in the first place. It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is an Amazon public cloud server where you are supposed to store open source code, not security keys. While the repository was password-protected, hackers were still able to gain access, indicating either a very weak password or the fact that the user credentials for the repository were found in a previous unrelated data breach that Uber had experienced. And even though Uber specifically promised regulators that it would use two-factor authentication on services like GitHub, it clearly failed to implement that promise.

The hackers are two individuals who claim they were paid a $100,000 ransom to keep the breach quiet. Uber said it does not believe individual riders need to take any action given the breach, as they have seen no evidence of fraud or misuse tied to the incident

Authorities in the United States have launched investigations into the breach. For example, New York’s state Attorney General has confirmed it has opened an investigation into the breach, with state laws requiring companies to give notice if data is stolen. The company also faces potentially higher than usual fines from British authorities because the firm did not promptly disclose the hack as required by laws in the U.K. Canada, however, does not have laws requiring disclosure of data breaches, as draft regulations amending PIPEDA on this very point have not been finalized. When they are, not will the new rules require reporting breaches to the OPCC and notifying individuals, but organizations who fail to do so, or who don’t maintain detailed records of data breaches, could face significant fines.

Demonstrating accountability and Being upfront about a data breach tends to retain customer trust, but clearly, reputational damage isn’t enough to force organizations to be transparent about a data breach. When something goes really bad, there is a human tendency to want to cover up – fear of the repercussions can quickly win over doing the right thing. Organizations are just the human beings involved ofcourse. Uber’s new CEO certainly got it right in confronting this breach head on. The company has let go of two employees who led the response to the hack, including Uber’s Chief Security Officer. And as expected, numerous class action lawsuits are being filed against Uber. Hopefully the breach notification and reporting rules coming to Canada will result in responsible breach management and response, as well as transparency for consumer on the risks to their privacy.

It is impossible to ensure that data breaches don’t happen, so companies need to be prepared for when they do, including how to communicate with the regulators and their customers. For assistance with your breach response plans, contact PRIVATECH.

0