Uber data breach and the introduction of the GDPR

You’ve probably already heard the news of the serious data breach Uber has just admitted to in the last 24 hours. For those who haven’t Uber CEO Dara Khosrowshahi has admitted the breach, that happened over a year ago, affecting over 600,000 drivers in the United States and involved the personal information of over 57 million Uber users worldwide. At this stage, we don’t know how many of those are UK citizens.
Source: https://www.uber.com/newsroom/2016-data-incident/

Uber’s mistake

What’s really surprising about this story is not the data breach itself, but just how badly it was handled by Uber. You could say it is an object lesson in how not to do it! Firstly Uber failed to report the incident to the regulator. Then, according to a report by Bloomberg, they made a $100,000 payment to the hackers to delete the data and keep quiet about the breach. 

GDPR, time for change

Fast forward six months or so to the introduction of the GDPR and Uber could have been in even hotter water. The damage to their reputation is one thing, with time I’m sure Uber customers and drivers will forgive and forget, but the GDPR has real teeth when it comes to enforcement by the regulator. They now have powers to fine companies that flagrantly breach the regulations up to 20 million Euros or 4% of a company’s global annual turnover. Large multinationals such as Uber are just the kind of company that the regulator is likely to make an example of. In fact, the ICO Deputy Commissioner commended today on the Uber data breach:

"Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics …. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies."

The fact that Uber failed to report it to the regulator is significant. Under the GDPR Uber will be required to report a data breach to the regulator within 72 hours. Organisations must be accountable and transparent not just with the regulator but in certain cases the individual whose personal data they store or process. 

In Uber’s case, they stated that the data had been inappropriately accessed from a third-party cloud service. This has implications for all of us who manage personal data of customers via our websites and cloud-based services. It’s going to be very important that these services, as well as our websites, comply with the GDPR come the 25th May 2018 deadline. 

The steps you should take

So what steps should you take to minimise your risks and ensure that your website complies with the GDPR? Well, there are a number of things you should do and the time to start is now. Firstly you should familiarise yourself with the new regulations. Probably the best starting place for this is the Information Commissioners Office website which offers a guide and checklist to the new regulations. 

Here at Quba we have recognised that many companies are unsure of what to do to ensure compliance with their website, which is why we have put together a useful guide to making your website compliant and we are offering a technical audit service to ensure that your website meets the requirements of the GDPR.

The situation that has happened to Uber could happen to any one of us, it how we deal with it and the steps we take to prevent it that counts. This is going to become even more important with the introduction of the GDPR one the 25th May 2018.

To sign up for our free guide or to inquire about a technical audit of your website email us at: gdpr@quba.co.uk