Uber’s most recent PR disaster, exposed today by Bloomberg, was the revelation that the company covered up a data breach, which saw 57 million customer and driver accounts compromised.

It is the latest in a long line of disastrous stories surrounding the ride-share company, but what makes this story so shocking is just how many errors the company made whilst dealing with the leak.

The Bloomberg story stated that the hackers had obtained login credentials for the app’s Amazon Web Services cloud through Github, which is an online repository for source code and software development. This begs the question why exactly were these credentials stored on a platform such as this in the first place, and how exactly did it get there? It is surprising that a company of that size could be so careless, and it seems as if it was relatively easy for the hackers to obtain what they needed to breach the system.

To make things worse, this is not the first time this has happened. In 2016, the business was fined $20k for another, much smaller, breach, which happened back in 2014. Uber’s chief security officer Joe Sullivan has now parted ways with the company, but questions need to be asked over his response to the initial leak. Did the company undergo a rigorous review of their security systems? Were staff adequately trained in security measures? The fact that the login credentials were on Github would suggest not, so does that mean that nothing was done after the first breach to make sure it didn’t happen again? And, if so, why not?

The hackers had obtained login credentials for the app’s Amazon Web Services cloud through Github, which is an online repository for source code and software development

From that initial leak, the fine was as a result of not declaring the data breach to the relevant regulators, so it makes it all the more surprising that they opted to forgo this again. The only way a company can be found liable for a data breach is if they fail to declare it, so it seems either incredibly short-sited, or rather suspicious that they didn’t declare this much larger breach. It is incidents such as this that have forced governments to conclude that General Data Protection Regulation is necessary to be implemented.

This is terrible for the Uber customers. The whole point of alerting regulators to a breach is so customers can be warned that their data is out there and that they should take the necessary steps to minimise the impact. Uber insists no payment details were taken, but it is very difficult to take them at their word considering they have been covering up this incident for so long. The response has also been a little weak. Surely more detail about who’s accounts were compromised would be a necessary courtesy at this point? Continuing secrecy will only make customers less trusting of the already beleaguered product.
The details surrounding the agreement, made with the hackers to destroy the data in exchange for $100k, are concerning. How do they know the data was destroyed? How do they know the data was not passed on before it was disposed of? What methods did the hackers use to contact Uber? Did the company get the police involved? How was the money exchanged, and if they had details about the hackers such as bank accounts, couldn’t the police have helped track them down? It is all so shady, and it’s amazing that no one is labelling this incident as a form of extortion. By bargaining with hackers, Uber has set a precedent for this sort of behaviour, legitimising hacking to a certain extent by rewarding those that conducted the breach. This has the potential to increase the number of incidents such as this, as those who partake in hacking will be buoyed by the perceived success.

On top of all this, Uber are currently negotiating another deal, a $10billion investment from Japanese financial service Softbank. The agreement is still on the table, but you have to wonder how patient the bank will continue to be after yet another PR blunder from the Silicon Valley company. Just in the last year, the former CEO Travis Kalanick has been removed from his post following a series of disasters, including sexual harassment complaints, controversial use of “Godview” technology, running the service without a license and Kalanick himself being caught on camera yelling at an Uber driver. Customer trust is eroding, and it will be interesting to see how much Softbank will want to do with Uber after this latest revelation.

Marclay recommends that everybody with an account should change their Uber passwords immediately. You can do this by going in to your app, selecting settings and pressing your information at the top, which will include your name, number and email. Here you will be able to change your password. We would also advise that you monitor whatever card you have stored with Uber for unusual activity. In cases like this, it is better to be safe than sorry.