On August 15th, Uber agreed to pay a whopping $20M fine and significantly improve compliance with General Data Protection Regulation (GDPR). What was happening was that too many unauthorized people had access to consumer personal information and this was putting Uber riders at excessive risk. The nature of Uber’s “fast growing” company wasn’t an acceptable excuse and the FTC reaffirmed that security and privacy promises must be honored.
The Problem with Uber
Uber, after initial complaints that customer data was being improperly accessed, implemented a new policy and placebo fix in 2014 to get the government off its back. This made it look like it protected the data but, according to the FTC, it had not. The company didn’t even bother to monitor access after the fix was put in place and the FTC was not amused, leading to this latest, far more expensive and embarrassing, consent decree.
It is also interesting to note that Uber used a third party cloud provider to store its data. That’s not an uncommon practice, but it was held accountable for the inability of that provider to properly secure the data. The provider was Amazon Web Services (AWS), which was called out in the complaint, and outed as part of the overall problem.
The FTC alleged that Uber didn’t take reasonable care, in effect was arguably negligent, in protecting user data. I expect we’ll have some additional class-action lawsuits result. Almost everyone had access to almost everything and they didn’t even use multi-factor authentication to protect this global level of access. This is unprecedented in a modern technology company. The data was in plain text, not even encrypted, so any AWS employee could have likely accessed it as well, providing an unprecedented level of exposure.
By the way, AWS pretty much got tossed under the bus here, suggesting that it, and other cloud service providers, may need to step up to better assure hosted data to avoid collateral brand damage. I would expect boilerplate on cloud service provider contracts that provides penalties for any brand damage that occurs because a provider or customer makes this kind of mistake and gets caught in the future. (In fact, I’d start looking for it now, as my old legal team often put clauses like that in automatically).
After the consent decree, each violation of this order to protect consumer data will cost Uber up to $40,654. Uber has 40M active users, so that suggests a future fine for something like this could shut Uber down, exceeding by several magnitudes Uber’s current net worth. While that outcome remains unlikely, more likely fines would set records and likely put the firm into a financial crisis. Just the distrust this creates with Uber users and the collateral damage to AWS is extreme enough to make sure you haven’t made similar mistakes.
Given that they are expected to have a full audit done in 180 days, the likelihood of additional problems yet undiscovered and exposed is high, so they may not even be out of the woods on this current problem, let alone be truly ready for the next one. The new CEO may be screwed and not even know it.
Once something like this is in place with any government agency, it often becomes a precedent for future decisions for similar problems. It showcases what the government expects: strong access control provided through an enterprise class product to assure only those that by policy should have access to data do have access to data. This data must be adequately encrypted, particularly if it resides off-premise, suggesting a more rigorous repository than a base AWS service, and employee authentication to that service must meet minimum standards (multi-factor, etc.).
Most of this has been part of a minimum-security standard in most large companies but it often surprises me how often firms fail related security audits. With whistleblower laws providing substantial monetary incentives for disgruntled employees to report problems like this, ever growing numbers of attorneys willing to fund related class-action suits, and ever more nervous insurance companies, this kind of precedent could become very expensive for a lot of folks.
Wrapping Up: Secure Your Customer Data
This should serve as yet one more reminder that you need to aggressively secure your customer data. From implementing an access control solution, to encrypting the related database, to assuring the security of the repository, to assuring authorized users are who they say they are, to doing regular security audits over this data, the FTC has put everyone on notice. You will do an adequate job of protecting customer data or face ever more extreme, and avoidable, consequences.
As a side note, when doing security audits myself, I find that very few of the executives in the chain of command, once a problem of this magnitude is discovered, particularly if it is made public, have a job or career anymore.
Given that AWS took an undeserved hit on this, I’d anticipate (if it hasn’t happened already) clauses that penalize customers for problems like this, increasing the potential monetary damage should breaches like this be found in the future.
In short, this kind of thing is career eliminating and will be excessively expensive. Certainly, it is something to be aggressively avoided, even if it wasn’t the right thing to do in the first place. Which it most certainly is.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+