The Uber breach, which compromised the data of 57 million drivers and customers worldwide, has just gone from bad to worse. Not only did the company wait for a year to disclose the hack, it scrambled to cover it up by forking over $100,000 in hush money to the hackers – which it funneled through its bug bounty program, no less, possibly in an attempt to keep the entire incident off regulators’ radar. As a result, Uber was facing multiple lawsuits, as well as investigations by governments in several countries.

Now, former Uber security analyst Ric Jacobs is accusing the company of having engaged in KGB-level corporate espionage. In a 37-page letter that has been submitted in the lawsuit competitor Waymo filed against Uber, accusing the latter of having stolen its company secrets, Jacobs claims he witnessed Uber engaging in all manner of unethical and, in some cases, illegal cyber spying, including:

• Hacking into an unnamed competitor’s database to obtain information on their employees for purposes of poaching.
• Hacking into a second company’s database to “steal ideas, exploit any identifiable weaknesses and identify drivers in order to recruit them to Uber.”
• Hacking mobile devices and networks to obtain metadata on opposition figures, politicians, and government regulators.
• Engaging in social engineering tactics to infiltrate private online groups for Uber drivers.
• Recruiting third-party vendors to steal information.
• Recording phone calls and bugging hotel and conference facilities.

A veritable case study in poor cyber security practices, awful data governance and risk management, and the consequences of having no cyber or business ethics, both the Uber breach and the newest allegations being leveled against the company contain cyber security lessons for us all.

Cyber Security Lessons from the Newest Allegations Against Uber

When news of the Uber breach first broke, the focus was on the data governance and risk management mistakes Uber made that led to the hack, such as including login credentials in software code and storing the code on a Github repository, and the company’s attempts to hide the breach instead of promptly disclosing it. The newest allegations have some things to teach everyone, too:

• The threat of cyber espionage and digital IP theft is quite real, regardless of the industry you operate in. Whether it’s employee data, a secret recipe, or a proprietary app, all companies have digital IP and trade secrets that other companies want to steal.
• The biggest vulnerability in your cyber security program is your own people. According to the court filing, Uber heavily engaged in social engineering tactics to steal information.
• Hackers may target your third-party vendors to get at your company.
• Securing employees’ mobile devices is just as important as securing your enterprise network and equipment.

Whether Uber will survive this latest firestorm is questionable, especially since, in a settlement with the FTC following a 2014 hack, Uber agreed to “not misrepresent in any manner, expressly or by implication... the extent to which Respondent protects the privacy, confidentiality, security, or integrity of any Personal Information." At the time this settlement was being negotiated, Uber was in the process of covering up the 2016 hack, as well as possibly engaging in the cyber spying activities Jacobs has accused it of.

Notably, Uber’s failure to disclose, in and of itself, would be illegal under the EU's new GDPR data privacy rules, set to take effect next May. As the Uber breach drama continues to unfold, don’t be surprised to see calls for similar data privacy legislation in the U.S.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.