The revelation that Uber Technologies Inc. hid a massive customer data breach for months is just the latest in a series of scandals for the ride-hailing company, but recent corporate history shows that its instinct to avoid disclosure of a major hack is thoroughly mainstream.
From Target Corp. to Yahoo Inc. and Equifax Inc., companies have been roundly criticized for letting customers be among the last to know about a significant data breach. Now though, the corporate playbook for megahacks may be changing as several jurisdictions move to get serious about legally mandating disclosure and notifications.
That private customer and driver data from 57 million people was stolen by hackers in late 2016 may have never come to light at all, if not for Uber's new chief executive officer Dara Khosrowshahi making a public declaration of the incident, as part of his attempts to reboot the company's corporate culture.
"While I can't erase the past … we are changing the way we do business, putting integrity at the core of every decision we make," Mr. Khosrowshahi wrote in a blog post on Tuesday.
In this latest incident, Bloomberg reported that the ride-hailing company may have broken a U.S. Federal Trade Commission rule on breach disclosures that requires companies not to destroy evidence of the breach. (Uber is alleged to have paid the hackers $100,000 [U.S.] to delete and keep silent about the data they stole.)
It's still not clear if Canadians are among the affected Uber users; the only specificity the company has offered is that 600,000 drivers were affected in the United States.
"Uber has advised us it is not able to confirm the number of impacted Canadian customers," said Tobi Cohen, spokesman for the federal Office of the Privacy Commissioner. "At this point in time, we have not opened a formal investigation. We have asked Uber to provide us with a written breach report, in which we would expect them to provide details about how the breach happened and about the impact on Canadians."
Uber also declined requests for comment from The Globe and Mail.
In a few short years, multimillion-victim data breaches have gone from blockbusting news to an almost daily occurrence.
Target, which lost personal and banking data for more than 110 million customers around Thanksgiving in 2013, waited until after the holiday shopping period was over to sound the alarm; its CEO resigned and the company has paid more than $250-million in hack-related costs.
Yahoo waited years before disclosing that three billion users had their data stolen by multiple sets of hackers, ultimately costing it close to $350-million in value in its sale negotiations with Verizon Communications Inc.
Earlier this year, credit bureau Equifax waited 41 days before informing the public that 143 million users had been affected by a massive data breach of some of the most sensitive information companies can collect about customers; markets reacted by wiping close to $4-billion from its market capitalization.
"It's fascinating that even in light of the mega breaches of 2016 and 2017, companies consider non- or delayed-breach disclosure as an option. The number of records compromised in the Uber hack far exceeds the entire population of Canada. We're not talking small beans, here," said Mark Sangster, a vice-president with Canadian cybersecurity company eSentire.
Uber's rival Lyft, which recently announced it would begin operating in Canada, did not reply to a request for comment on its own data-breach disclosure policies. In 2017, Lyft has grown at Uber's expense to account for 25 per cent of the consumer ride-hailing market from 17 per cent, according to credit card data collected by TXN Solutions.
In the United States, almost every state has data-breach disclosure rules, but most are vague or contradictory about what kind of data need to be disclosed and when. The U.S. Securities and Exchange Commission – which since 2011 has had rules for when a public company must disclose to investors details of any material risk to the company from cybersecurity issues – has, to date, never entered into an enforcement action against a company for not disclosing information in a meaningful or timely fashion.
In Canada, the Personal Information Protection and Electronic Documents Act was amended in 2015 to mandate data-breach reporting, but the provision is not yet in force and the first draft of regulations on how to implement the rules were posted in September by the Ministry of Innovation, Science and Economic Development. The fines contemplated to enforce compliance with PIPEDA run between a maximum of $10,000 or $100,000 (Canadian) depending on the offence.
The European Union is steaming ahead with the most serious and potentially costly reform of disclosure practices: The General Data Protection Regulation, which takes effect in May, 2018, gives companies 72 hours to report breaches to government agencies or contend with fines as high as 4 per cent of their global annual revenue, or €20-million ($30-million) (whichever is higher).
But even if everyone delays notification, Uber may lack the benefit of goodwill from regulators looking to crack down on the practice. The company has on many occasions been accused of playing fast and loose with the law (and not just by defying local taxi regulators in cities around the world): The Federal Trade Commission fined the company $20-million (U.S.) for falsely advertising the economic benefits of driving for Uber.
There's a current U.S. Department of Justice criminal probe into Uber's so-called "Greyball" tool that aimed to deceive lawmakers and enforcement agents attempting to investigate the company, plus at least three more relating to pricing laws and bribery.