Uber's most recent data breach and cover-up was heard 'round the world.
However, it's the lawsuit filed by the City of Chicago this week that really nails the company's executive and cybersecurity leadership.
It only takes a single pargaraph from the 29-page lawsuit to do so:
"After the details of Uber's May 12, 2014 data breach were revealed to the public, Uber was investigated by a number of state and federal regulators that were concerned about its inadequate data security practices. Uber ultimately promised to bolster its data security policies by, inter alia, adopting protective technologies for the storage, access, and transfer of private information... less than a year later the same failures led to a breach that was one thousand times worse."
Where was the leadership here?
The lawsuit then discusses the breach aftermath and Uber's desperate attempt to hide it and how meaningless that really was:
"Uber paid hackers $100,000 to supposedly delete the data and took substantial legal steps to keep them from speaking about the breach publically. Uber even went so far as to hide the payment on its own books by categorizing it as a 'bug bounty payment.'"
SecureWorld has already detailed an alleged culture of cover-up at Uber.
"Of course, any agreeement that Uber reached with the criminal hackers was meaningless since criminal hackers couldn't possibly be trusted to protect user data. Nor did Uber require any proof that the stolen data was, in fact, deleted. That is because in an age where thousands of copies of digitial information can be made in a second, it is impossible for Uber to know that all copies of the data were in fact destroyed."
Perhaps that reasoning alone is why a global shipping company refused to pay a hacker's ransom demand in November 2017.
And it was the leadership—something that was clearly lacking at Uber.
