As the ramifications of Uber’s stunning admission it hid from the public that hackers made off in 2016 with personal information on 57 million riders and drivers around the world are still shaking out, it still isn’t known if any Canadian are victims. The California-based ride-sharing company says it is notifying regulatory authorities. The only one in Canada where companies suffering data breaches involving personal information have to be reported is the province of Alberta.
“We have not received a breach report on this incident from Uber,” Scott Sibbald, communications manager at the office of the information and privacy commissioner of Alberta, told IT World Canada. “We’re following up with Uber and considering next steps.” Canada’s federal privacy commissioner has asked Uber for a written report on the breach. Global News said.
Meanwhile, a Canadian privacy expert says the lack of transparency by Uber in the incident is one more reason why Ottawa has to quickly finalize the regulations needed so a law on mandatory breach disclosure here for federally-regulated companies will come into effect.
“In Canada it sends a signal we need to get those mandatory breach regulations out there… so that companies will not have the choice of not reporting a breach,” said Avner Levin, director of Ryerson University’s Privacy and Cyber Crime Institute. It’s “very disturbing” the breach was covered up for a year, he added.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended in 2015 to require federally controlled organizations to notify individuals, organizations and the Privacy Commissioner of breaches of security safeguards that create a real risk of significant harm to victims “as soon as feasible after the organization determines that the breach has occurred.”
However, that obligation doesn’t come into effect until regulations that companies holding personal information have to follow come into law. The government has released draft regulations and is asking for comment on them. Ottawa has given no date on when the regulations will be proclaimed. Even after the law comes into effect the federal privacy commissioner is not obliged to automatically tell the public it has been notified of a breach.
Condemnation from privacy, security and legal experts has been swift after Uber CEO Dara Khosrowshahi acknowledged that his predecessor had known about the breach 11 months ago. According to reports, Uber paid US$100,000 to the hackers on a promise the stolen data would be destroyed.
Customer data stolen included names, email addresses and mobile phone numbers. Stolen information on some 600,000 drivers included their names and drivers licences. “Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” the CEO added in his statement.
While Khosrowshahi said Uber drivers are being notified and offered free credit monitoring and identity theft protection, he said nothing about passengers being notified. Khosrowshahi said the breach occurred when “two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.” Those two persons have been identified he said. There is so far no indication of criminal charges. Meanwhile, as of this week two Uber employees who “led the response to this incident are no longer with the company.”
There are various accounts of how the data was lifted, most of them agreeing that the two attackers accessed a GitHub coding site used by Uber software engineers, found a set of login credentials, and used those credentials to access an infrastructure account that handled computing tasks for the company. Within that infrastructure, the attackers discovered the archive of rider and driver information. One version says the data had been left on Amazon Web Services (AWS) storage.
Uber may have broken the law in some jurisdictions by not reporting the breach either to regulators or affected persons. In some U.S. states – including California – breaches have to be reported. As of 10 p.m. Eastern Wednesday night the California attorney general’s office had made no statement of being notified by Uber. There are breach notification obligations in some European Union countries, although they aren’t all the same. However, they will be unified and toughened starting May 18, 2018 when the EU’s General Data Protection Regulation (GDPR) comes into effect.
Still, some privacy experts say it’s better for a company’s reputation to disclose sooner rather than later regardless of the law. Bradley Freedman, Vancouver-based national leader cyber security law group at Borden Ladner Gervais LLP, said it soon won’t be an option for companies to hide word of a breach. Not only will the GDPR and Canada’s breach notification regulations come into effect soon, but at the federal level Congress is talking about a U.S. national breach notification law.
There may also be a common law duty to warn victims of possible harm, he said, although that hasn’t been settled in Canada yet. He noted that most consumer lawsuits here and in the U.S. will include an allegation of failure to give timely warning after a breach. Besides, he added, “we’re living in a world that moves at Internet speeds and the perceived stigma [to organizaions] of these kinds of incidents has diminished.” More organizations that might have been reluctant to be transparent are changing their minds, he said.
“When you look at all the legal reasons why an organization is obligated to report – whether it be to comply with privacy laws, security laws, contractual obligations with business partners and customers and simple duties to warn – if there’s risk of harm [to the victim] there’s very little room for an org to say,‘We have no duty to disclose and we’re not going to.’”
The new PIPEDA amendments give a broad definition of what organizations should consider under ‘real risk of significant harm’ to a victim: The sensitivity of the personal information involved in the breach, and the probability that the personal information has been, is being or will be misused. As for whether Uber’s reputation will take a hit, Levin is doubtful. “It probably won’t hurt them right now,” he said. “At the end of the day data breaches haven’t historically hurt companies that much. Maybe in recent years the trend has changed.”
Equifax’s CEO stepped down after that company’s embarrassing breach, Levin noted. But he suggested that was because of Equifax’s high profile as a company that collects sensitive information. Meanwhile, Levin said, Uber’s new CEO is presenting himself as someone who understands what it means to be in compliance with the law.
“None of this should have happened,” Khosrowshahi said in his statement, “and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Officials at security vendors issued statement denouncing Uber’s late admission of the breach and attempt to cover it up.
Domingo Guerra, president and co-founder of mobile security company Appthority, noted his firm released a report alleging Uber’s app and app ecosystem has put sensitive personal and corporate data of customers at risk.
“This latest news that Uber concealed a cyber attack, which exposed 57 million people’s data, points to a systematic lack of security and privacy best practices. This revelation is especially concerning because Uber and companies using its APIs collect a wide range of data on Uber users including location, ride history and service purchases.”
“ This is just another case of [stolen] privileges being used in a targeted attack, hackers demanding ransom for stolen information, and companies not being morally responsible for the stolen user data,” said Morey Haber, vice president of technology at BeyondTrust. “They plainly acted like irresponsible children.”
“At the end of the day, most companies will be breached if an attacker really wants access to that company,” said James Carder, CISO at SIEM maker LogRhythm. “As with Uber’s case, it’s often not the breach itself but how you handle it post incident. You can still come out of a breach in a pretty good spot if you’ve been diligent about your IT and security controls – including the implementation of monitoring, detection and response capabilities that can help minimize the impact of the breach and stamp down any thoughts of negligence – and if you’ve handled the post-incident breach work well and in accordance with legal regulation and ethical principles.
“All of this, of course, is predicated on having an incident response and breach notification plan in place prior to being breached. The last thing you want to do is go into an incident ill-prepared, without a plan, and figure things out while in the middle of the incident.”