“The Uber hack” – 57 million accounts compromised?

The $68bn company admitted this week that their systems had been hacked and personal information stolen, in October 2016, and that Uber had paid the hackers $100,000 to destroy the information and keep the breach quiet.
The UK’s information commissioner’s office said, “Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics… Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Was Uber right to cave in to the hackers?
I doubt it.
Not only does it send a signal (from one of the world’s biggest companies) that hacking pays – but it positively encourages the hackers to try again, and we can be reasonably sure that if the hackers got away with a mere $100K last time, they’ll be looking to up the ante next.
And Uber’s failure to come clean is surely a major mistake.  Not only is the ICO likely to take a dim view about a cover-up – but customers can rightly be outraged that their personal details, passwords and so on might have been compromised with no opportunity afforded to them to take steps to protect themselves (e.g. by making password changes).  The reputational cost alone is likely to be significant.
And all this as UK organisations are looking to 2018 and implementation of a new set of Data Protection laws to mirror the EU’s “GDPR” (General Data Protection Regulations) – a lot of work needs to be done between now and 25th May 2018 to ensure that effective compliance regimes are in place.
We are already advising a number of Unions about the implications of the new regime.
For professional, confidential advice contact Paul Scholey.