Uber’s Messaging on Cyber Breach Scandal Leaves Much to Be Desired

Uber just can't stay out of the news, for all the wrong reasons. And it has bungled its response to the latest crisis, raising more questions than answers and again proving that the cover-up is often worse than the crime.

The ride-hailing firm disclosed on Tuesday that it had been the victim of a massive cyber breach, with data of 57 million of its customers and drivers stolen in late 2016.

While many organizations struggle with cyber security issues, the moves the company made to hide the attack were severe. The firm paid the hackers $100,000 to destroy the data and stay quiet about the breach, according to a report by Bloomberg.

Uber told Bloomberg that it only discovered the breach once it hired an outside law firm to investigate its chief security officer Joe Sullivan, who the company fired this week. In a blog post, Uber's CEO Dara Khosrowshahi, who joined the firm in September, wrote “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”

But the way the firm conveyed the cyber breach left a lot to be desired. Sam Huxley, senior vice president of risk and business strategy at Washington, D.C.-based agency LEVICK, said he's paying close attention to the case as an example of what not to do when advising clients on security breaches.

"While firing the people responsible is an expected step, there was no messaging on what internal policies have changed," says Huxley. “The year-long delay in disclosure is compounded by two factors: The internal cover-up and the fact that they disclosed it at all was due to a legal opinion, not because it was the right thing to do."

In the blog post explaining the breach, Khosrowshahi claimed there was no evidence the stolen data had been used for identity theft or other criminal activity. But that statement didn't go far enough, Huxley says.

"Just because the data hasn’t been used to date is no guarantee that it won’t be used in the future," he says. "There was also no description of what evidence the hackers provided that the data was deleted. Nothing in their statement addresses what internal policies failed to prevent this, which means internal cover-ups and secret payouts could happen again.”

Other questions the company has so far failed to address include who the hackers are and whether they're being prosecuted, what evidence the hackers provided as proof of the breach and where that $100,000 payout came from. Those details should've been included in the company's official communications, Huxley says, and since they weren't, speculation and coverage will increase and brand equity will continue to erode.

In general, the latest crisis at Uber provides a cautionary tale for other firms grappling with the possibility of a cyber breach, says Huxley.

“Surrendering in ransomware attacks is almost never the right course of action, and it’s clear that the ransom was paid to internally cover-up the breach, not to protect users," he says. "While we recommend that clients simulate this type of attack, it is usually done under the assumption that the staff involved have the moral compass and oversight in place to prevent what transpired.”


Follow Sam: @shuxley

Follow Jerry: @Jascierto