Monday, November 27, 2017

Uber Under Pressure for Data Breach

In recent years, the rideshare-app company called Uber has not led anyone to believe they would win a corporate personality contest.  Their aggressive growth and shouldering aside of municipal regulations and the charges of sexual harrassment that ultimately led to the resignation of Uber co-founder Travis Kalanick last June have now been followed by a revelation that Uber had a massive data breach in October of 2016, over a year ago, and didn't make it public till last week.  Besides probably violating state laws, this latest flap raises serious questions about the responsibility of companies to protect consumers' data, and what companies should do when that data is compromised.

Here is apparently what happened.  A year ago last October, Uber discovered that hackers had obtained about 57 million names, addresses, and emails of customers who had used Uber's services.   The hackers also snagged driver license numbers for over half a million of these people.  Then they pulled a classic blackmail act:  for a mere $100,000, the hackers offered to destroy the data and keep the whole thing a secret.  Under the reign of Kalanick, Uber agreed to this deal.  The company claims that they have evidence that the data was destroyed, but one can be permitted to wonder about something that amounts to proving a negative. 

The main problem with all this skulduggery, other than the breach itself, was the way Uber handled it.  Many state laws require companies to disclose major data breaches like this within a stated time, usually within four to six weeks of discovery.  Uber clearly didn't do this.  And even if Uber's new CEO, Dara Khosrowshahi, had disclosed the incident upon taking up his new job in September, instead of waiting for two months, Uber would have still been violating these laws. 

As hacks go, in terms of numbers and the kind of data stolen, there have been worse incidents.  But still, knowing that your email and linked phone number, and maybe your driver license number, are floating around out there in the hands of blackmailers, is not a comforting thought.  Even worse is the fact that Uber caved so fast to the blackmailers' demands.  True, not many hackers offer to destroy the data they've stolen, but words are cheap. 

What should consumers do when faced with a choice to either (a) deal with a company that offers an attractive service at a good price, but has a reputation for shady actions with regard to its own employees, hackers, and the law, or (b) well, maybe there isn't another good choice, except to try calling an old-fashioned cab and hope for the best?  (Full disclosure:  I have never used Uber, airbnb, or any of those other newfangled apps that are breaking down the time-honored traditional service industries.  There's nothing intrinsically wrong with using them, and many millions of happy customers continue to do so.  But I have no personal experience with them myself.) 

Even if a person is well aware of Uber's less-than-stellar corporate reputation, in many cases one doesn't have a choice:  Uber has chased away most of the competing apps (Lyft being an exception in some locations).  To use anything else may require a great deal of conscious effort and ingenuity, and in some locations and situations it simply may not be possible at all.

There is a paradox in the fact that the digital online world on the one hand promises an infinity of options and choices.  But on the other hand, when it comes to certain close-to-essential services such as search engines, online transportation apps, and Internet service providers, the list of workable choices at a given time and place is usually radically limited to a few, or even one. 

From a business point of view, this narrowing of choices is a function of what is called the network advantage.  As Ma Bell found out around 1890 when the telephone network was experiencing rapid growth, every customer a network company adds not only increases the company's customer base, but also makes that same company more valuable to all of its other customers.  That doesn't apply in exactly the same way to Uber as it does to AT&T, but the principle is the same:  the biggest firm in a network-intensive business automatically has built-in advantages over everybody else, and so you usually end up with a winner-take-most situation.  For those lucky enough to invest in the biggest company before it takes over the whole market, it is a very attractive deal indeed.  But for consumers wishing to have a meaningful choice among a number of alternatives, the dominance of a single firm is less than salutary.

The concept of privacy, and the related idea of security, may simply have to keep changing as we seem to accept risks that a few years ago would have simply been unacceptable.  Even in the Middle Ages, there was no such thing as absolute security.  A man carrying a purse of gold coins was always liable to run into some ruffians who would knock him down and rifle through his possessions.  But one of the basic attractive features of civilization is that under most circumstances, people can go about their daily business using services that they need, without unduly running the risk of somebody coming along and taking valuables from them. 

Now that identity theft is so easy, it's something that is ethically equivalent to a purse of gold coins carried by a Middle Ages merchant.  But in the wild-West environment that is the global Internet, we have left the providing of security largely to service firms themselves, with results such as the Uber breach that are far from encouraging.  In breaking the law requiring timely notification, Uber became one with the hackers, at least to the extent of ignoring the law.  Unfortunately, none of its customers knew what they were up to.  And now that we know, many people will simply shrug the incident off as one of the risks of modern digital life.

Maybe it is, but to my mind, accepting and tolerating such things is a step backwards in the progress of civilization.

Sources:  I referred to reports on the Uber data breach at, posted on Nov. 24 at, and the Washington Post at  I also referred to the Wikipedia articles on Travis Kalanick and Uber.

No comments:

Post a Comment