To conceal a massive hacking, UBER has paid hackers to keep quiet.
In October 2016, after being accused of several scandals regarding claims of sexual harassment, discrimination and embarrassing leaks about executive conduct, Uber faced a massive hack that exposed personal data of 57 million drivers and users of the App. To keep the piracy under silence, Uber accepted to pay 100,000 $ to the cybercriminals.
In November 2017, Uber admitted that several personal data had been stolen by hackers (names, email addresses, phone numbers) but still denied that sensitive data had also been hacked (credit card numbers in particular). Who knows?
Most of the hacked users and drivers were located in the USA, but not only. Even though Uber declined to tell which other countries who could have been affected, several European data protection authorities have triggered investigations. In the UK for instance 2.7 million users would have been hacked. In France, no information has been disclosed. Mounir Mahjoubi (secretary of state for digital) invited the Uber’s CEO, Dara Khosrowshahi, to voluntarily inform the French users of the App of any potential breach in France. Since November, no news!
A textbook case in terms of liability.
A slew of class-action lawsuits in the US
Under Californian state law, American companies must notify state residents of any breach of unencrypted personal data. Furthermore, the attorney general must be informed when more than 500 residents are affected by a single breach. Uber did not comply with any of the above.
There is a debate before the US courts to decide how to treat data breach lawsuits. For many years, the courts ruled in favour of defendants as the plaintiffs did not alleged a sufficient injury to comply with the ‘standing requirements’. But, recently, in August 2017, regarding a class action consumer data breach, the D.C. Circuit, ruled that ‘the claimants’ risk of future harm is sufficient to meet the standing requirements’.
Uber will probably become an iconic trial for data protection breach, as the company is facing according to the Washington Post “at least three potential class-action lawsuits and separate investigations by the attorneys general of New York, Missouri, Massachusetts, Connecticut and Illinois” as well as some investigations conducted by the Federal Trade Commission.
In Europe – first one-stop-shop regulatory mechanism
On November 29, 2017, the Article 29 Working Party established a taskforce on the Uber data breach case to coordinate all the national investigations under the leadership of the Dutch Data Protection Authority (‘DPA’), where Uber has its EU headquarters. This task force includes representatives from the DPAs in France, Italy, Germany, Belgium, Spain and the United Kingdom. This European initiative is a precursor for the one-stop-shop regulatory mechanism to be introduced by the EU General Data Protection Regulation (‘GDPR’) coming into force in May 2018.
Under the GDPR, Uber has violated several obligations, such as taking sufficient and appropriate action to ensure security of data that were unencrypted, notifying the breach to the data subjects and to the supervisory authority without undue delay (no later than 72 hours of being aware of the hack). Under the GDPR, Uber would have been subject to a fine of 4 % of its global annual revenue.
This needs obviously to be followed carefully!