It was announced today that ride-sharing giant Uber will pay $148 million and tighten the company’s data security protections after failing to notify drivers that hackers had stolen their personal information.
Back in 2016, hackers accessed the personal data belonging to 57 million Uber users and instead of notifying the authorities and the public, Uber hid the evidence and paid a $100,000 ransom demand to ensure the data would be destroyed. Hackers had access to the names, email addresses, and phone numbers of customers, but even worse, the names and driver’s license numbers belonging to 600,000 of its U.S. drivers. The breach ended up going public in 2017 and the immediate response from the U.S. Government ranged from hefty legal fines to possible jail time for those who covered up the incident.
Now almost a year since the breach went public, a settlement was agreed upon by all 50 states and the District of Columbia and the settlement will be divided to the states based on the number of drivers each has.
“This is one of the most egregious cases we've ever seen in terms of notification; a yearlong delay is just inexcusable. We're not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches” claims Illinois Attorney General Lisa Madigan. She claims that Illinois share for this settlement is $8.5 Million and that drivers impacted by this breach will each receive $100.
In addition to these penalties, Uber is also required to comply with state consumer protection laws safeguarding personal information and to immediately notify authorities in the case of a data breach moving forward. The settlement also requires the company to establish methods to protect user data stored on third-party platforms and create strong password protection policies. There’s simply no excuse to willfully ignore these cybersecurity best practices with weak breach detection capabilities in place.
For organizations looking to protect against the most dangerous attacks, we suggest implementing the CIS Controls, but first, focus on the Basic controls, Controls 1-6. These controls are a must for every organization looking to prioritize what actions must be taken first in order to defend against today’s most dangerous attack methods. These controls combine key security concepts like Continuous Vulnerability Management and Change and Configuration Management into a set of actionable controls that can be used to achieve better overall cybersecurity defense.
NNT solutions alone can help you satisfy these first six controls, including the Foundational (CSC 7-16) and Organizational (CSC 17-20) Controls.
To learn how NNT addresses the CIS Controls, download our CIS Controls Solution Brief
Read this on SecurityWeek