How not to deal with a data protection breach – Uber in the news again
As the ongoing saga of the Uber drivers Employment Tribunal bubbles along, the company has been in the news again. This time, in relation to its data protection policies.
Uber has been required to take urgent action following the revelation that, in 2016, hackers were able to download files from the company’s cloud-based storage accounts.
The files contained personal information about 57 million Uber uses around the world including names, email addresses and mobile phone numbers. In addition, the names and driver’s license numbers of approximately 600,000 drivers in the US were obtained.
The chief executive of Uber, Dara Khosrowshahi, has assured customers that action is being taken and that he only recently was informed that the breach had taken place. He indicated that trip location history, credit card numbers, bank account numbers, social security numbers and dates of birth were not in the information downloaded.
So, what steps were taken? At the time of the incident in October 2016, the company secured the data, shut down unauthorised access, identified the hackers, demanded confirmation that the information obtained was destroyed and implemented new security measures.
The question obviously arose as to why this potentially catastrophic breach was not made public at the time of the hack. Khosrowshahi merely stated that he ‘had the same question’ therefore the jury is out on that point. The chief executive has taken the following actions in light of the recent discovery:
- Engaging an expert to consult on security and procedures
- Termination of two staff members’ employment
- Notification to drivers individually whose license numbers were obtained and provision of free credit monitoring and protection against identify theft
- Notification to regulator
- Monitoring of affected accounts and provision of additional fraud protection
What does this mean for the UK? The Information Commissioner’s Office (ICO) deputy commissioner, James Dipple-Johnstone, has advised that the data breach raises huge concerns about the ethics and data protection policies of Uber. An investigation is to be launched where the ICO will work with the National Cyber Security Centre to ascertain the scale of the breach, how this affects individuals in the UK and what Uber needs to do to comply with its obligations in respect of data protection. Uber must identify any UK citizens who have been subject to the data breach and take steps to reduce any harm caused. The ICO has warned that deliberately concealing breaches from regulators and citizens could attract higher fines for companies.
Although the investigation is yet to commence, there is speculation that the timing of Uber’s disclosure in not unrelated to the fact that the new General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Breach of the GDPR may attract fines of 20 million Euros or 4% of annual worldwide turnover, whichever is the greater. Currently, the ICO only has the power to issue fines of up to £500,000 and the highest fines to date include a £400,000 fine given to TalkTalk in October 2016 for a breach affecting 156,959 customers. Uber may well want to get the investigation out of the way before the higher fines are implemented.
All businesses are obliged to have systems in place for the GDPR to ensure compliance with data protection principles. The starting point is to assess current data security measures, ensure that there is an efficient reporting mechanism and train employees on what to do if there is a breach. If you would like to discuss the changes that the GDPR shall bring and how this affects your business, please contact Elaine O’Connor on 0207 940 4000 or firstname.lastname@example.org.