The popular car sharing service Uber suffered a data breach on May 13, 2014 where the names and driver’s licenses of 50,000 drivers in the United States were exposed. They only discovered the breach on September 17, 2014, but the big problem is they didn’t notify the affected parties until January 27, 2015.
There are numerous problems here, the least of which is that Uber needs to improve the security of the information it stores.
The bigger problem is the company failed to notify its drivers until more than four months after discovering the incident. Most states in the United States have data breach notification laws that require a company to notify authorities and those affected soon after a data breach.
Uber has its corporate headquarters in California, so I would assume they are affected by the CA breach notification law. According to the law, whose purpose is to protect privacy of personal information:
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number.
- Driver’s license number or California Identification Card number.
- Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Clearly the data breach meets the requirement of disclosing personal information. The law also states that upon discovery of a breach, an organization must notify affected parties immediately. This is direct from a section of the law.
1798.82. (a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
I am not an attorney nor an expert on time, but four months does not appear to be without unreasonable delay. According to a blog post by Uber’s Managing Counsel on February 27, 2015, the company has not received reports of misuse of any information, but they are notifying impacted drivers and recommend they monitor their credit reports. Uber is also giving affected drivers a year of free credit monitoring, which is fairly standard.
The problem is that in the intervening four months since they discovered the breach, the privacy of drivers’ could have easily been compromised. Given the rampant growth of identity theft and fraud, this is a tough pill to swallow.
Hopefully Uber has removed easy access to its sensitive information and thought about encrypting the data with a persistent security policy. The data breach notification laws state that statutes do not apply to encrypted information. If a company encrypts personal information, it does not have to report a data breach, since the laws do not consider the theft of encrypted information to be a breach.
What are you doing to protect the sensitive information inside your company?
Photo credit Wallstreet OTC