On Wednesday, California’s Attorney General, Xavier Becerra, announced that Uber has agreed to settle a nationwide investigation into its 2016 data breach for $148 million. While the breach occurred in 2016, Uber failed to disclose the breach until a year later, in violation of California data breach reporting and security laws that require companies to report and notify customers when their personal data is exposed.
The massive data breach, which Uber covered-up for more than a year, gave hackers unauthorized access to the personal information of 50 million of its riders, as well as 7 million of its drivers. Of those drivers, 600,000 had their driver’s license numbers compromised. Uber then failed to inform users of the breach, choosing instead to reward the attackers with a $100,000 payment through its bug-bounty program, in effect paying ransom to the thiefs in return for deleting the data and staying silent.
In a statement on Wednesday, California Attorney General Xavier Becerra said Uber “failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data.”
Along with the payment, the settlement will require Uber to “implement and maintain robust data security practices.” Uber’s California settlement makes it the second this year for the company. In April, the FTC settled its investigation into the company’s handling of consumer data, an investigation spurred by a previous data breach at Uber in 2014, requiring them to submit regular privacy audits. U.K. regulators have also been investigating the hack, saying in a statement last year that “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics.”
Breaches of Trust
Adding to the rapidly growing list of consumer data leaks, including Equifax, Facebook, and Exactis, the Uber breach highlights once again the failure of large corporations to adequately protect and safeguard the private information of their customers as hackers continue to succeed at infiltrating massive databases of consumer information at an alarming rate.
Not only are these breaches of security, but they are breaches of trust for consumers, as companies fail to disclose leaks until months or years later, with disturbing reports of negligent and unscrupulous behavior on behalf of those entrusted with our data being released on an almost daily basis. There is still much education to be done, and discussion to be had, around proper protocols related to data breaches.
The settlement comes as governments and individuals around the world are struggling to grapple with consumer data security and privacy issues in the wake of near daily reports of massive data breaches and unscrupulous data practices. Governments around the world are beginning to clamp down. In May, the European Union’s General Data Protection Regulation went into effect, and following shortly thereafter, in June, the California State Legislature passed the Consumer Privacy Act, a sweeping digital privacy law that gives consumers more access to, and control over, the data that companies collect on them online.
Consumer Privacy Rights
The CPA is one of the most comprehensive and stringent data privacy regulations in the United States, and is the first salvo in what promises to be a raging battle over data privacy as consumer privacy advocates and legislators work to crack down on negligent and exploitative data security and collection practices. With the CPA and the Uber settlement, California is sending a clear message that policymakers are serious about holding companies accountable, and will help set the benchmark for more legislation around the country moving forward.
These developments mark the ratcheting up of tensions between companies looking to collect and utilize every bit of consumer data they can get their hands on, and those who have become increasingly wary of the way companies are using and protecting that data.
As the narrative shifts towards the rights of consumers, driven by the heightening of awareness that has come in the wake of the neverending onslaught of alarming revelations, companies are being forced to reassess their privacy policies and collection practices, and some are even starting to play ball.
A Global Conversation
On Wednesday, tech heavyweights Amazon, Apple, Google, and Twitter, all appeared before the Senate Commerce Committee to discuss federal data privacy legislation, acknowledging the need for better data standards and practices. With Congress now eyeing nationwide consumer data protections, Silicon Valley knows they can no longer afford to sweep data privacy concerns under the rug. As Amie Stepanovich, speaking to the Guardian, aptly puts it, “Companies are seeing that they can’t continue to claim people don’t want data protection laws. The movement is clearly forward, and companies don’t want to be left out of those conversations.”
Beyond Silicon Valley, digital privacy concerns are being raised around the world. Aadhaar, India’s national biometric identity system, has collected records on more than a billion people since its inception in 2009 and has come under increased scrutiny as of late. On Wednesday, India’s Supreme Court ruled to pull back on Mandatory requirements for its use by banks, telecoms, and other Indian companies, citing privacy concerns and pushback from opponents who fear the system will further entrench the surveillance state.
Aadhaar has been at the heart of the privacy and data protection debate in India, having been breached multiple times over the past few years, with the personal data of more than a billion citizens reportedly being available for purchase on WhatsApp for a mere $10, despite the Unique Identification Authority of India’s claims that the system is impenetrable. And, in what is probably the most brazen of all recent breaches, the Huffington Post revealed on Tuesday that hackers were able to develop a patch that disables critical Aadhaar security features, allowing nearly anyone to create unauthorized identification numbers at will.
Following quickly on the heels of news of Aadhaar’s critical vulnerability, news came on Friday of yet another attack, this time at Facebook. Attackers were able to exploit a security vulnerability in Facebook’s “View As” feature, potentially giving them access to and control over nearly 50 million Facebook accounts. Facebook has yet to determine how many accounts were actually misused or how much information was accessed.
Along with broken government-sponsored national identity systems, which will present a host of new vulnerabilities moving forward as governments look to transition into the digital age, the vast scope of tech platforms such as Facebook present concerns of data security and privacy on a global scale, with the well-being of billions on the line.
Bloom: Take Back Control of Your Data
With Bloom, we are giving you the power to take back control of your data. We give you the tools to own your own data and decide how it’s used. We believe in a world where you finally control your own information.
Bloom enables you to own, authorize the use of, and protect your data using the latest advancements in blockchain technology. With Bloom, the risk of your data being exposed in a data breach or leak is greatly reduced. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Your identity, and your highly sensitive personal and financial information, is secured and safeguarded on your own personal device using world-class cryptographic encryption.
- You own your data
- You control access to your data
- You decide when you share your data and who you share it with
To learn more about the latest with Bloom: