Uber's Response to Hack
What sounds like a major security breach is getting minimal response from Uber so far. A hacker, possibly 18 years old, apparently posed as a colleague to get IT access through an employee. An embarrassment to the company, the breach could include “full access to the cloud-based systems where Uber stores sensitive customer and financial data.” But Uber communications are trying to minimize the impact.
Three days after the breach, the only message I can find is a “Security Update,” copied below, on Uber’s Newsroom page. Company leaders are likely scrambling to lock down and protect information, but more communication is important. Criticism is harsh because of how easily the hacker appears to have duped an employee through social engineering and because of the unfortunate timing: Uber’s former chief security officer is currently on trial for paying hackers $100,000 to avoid disclosing a breach back in 2016.
The communication and situation are challenging, but people are watching and waiting, as we see in these tweets. This situation raises issues of several character dimensions, for example, accountability, humility, integrity, and courage. With more transparency, the company might be less vulnerable now, not more, as the leaders might fear.
September 16, 10:30am PT
While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident:
We have no evidence that the incident involved access to sensitive user data (like trip history).
All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
As we shared yesterday, we have notified law enforcement.
Internal software tools that we took down as a precaution yesterday are coming back online this morning.
September 15, 6:25pm PT
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.