Uber's Data Breach Fine: A Red Light, or a Bump in the Road?
On Tuesday 26th November 2018, Uber was fined after failing to tell users and drivers their data was hacked
How much is your personal data worth?
If someone asked you to sell them your full name, phone number and email address, on the basis that they would then be able to use that information however they liked - including selling it on to other people who could do the same with it - what price would you put on it?
The answer is going to vary from person to person, but I'd be surprised if you put it any lower than £100. Remember, this is basically a licence for someone to spam you, or sell your details to people who will spam you, forever. Who's that emailing you? Who's calling? Oh, it's junk. It's spam. Maybe you'd charge something more like £1,000? Or even more?
When I was researching for Cyber Wars: Hacks That Shocked The Business World - my examination of the world of major hacking incidents and how they affected businesses and people - I was repeatedly astonished at how cheaply regulators value our personal information. Data that we would personally value at hundreds of pounds or more attracts fines that work out to pennies per affected user.
Which is why one can only give a half-hearted cheer at the news that the transport company Uber has been fined £385,000 by the Information Commissioner's Office in the UK after a November 2016 hack in which around 3 million British users' details were copied.
Those records included not only name/phone number/email but also the location where you'd signed up for the service (quite likely to be your home or work). For Uber drivers, who were also affected, the breach was worse: their weekly pay, trip summaries (location starts and ends) and, in a few cases, driver's licence numbers were copied. In the UK, 82,000 were affected.
If you work out how much the fine is per person, it works out to slightly less than 13 pence each. The amount in the US was slightly more. There, it was fined $148m (£115m) for not telling drivers that it had been hacked.
Impressive? Well, that fine was for the overall breach, which involved all 57 million Uber users (aka "riders") around the world. So that is £2.02 per person.
Altogether, Uber's misadventure with the hackers who found flaws in its systems has cost it about £2.15 per user. It paid the hackers $100,000 on condition they promised to destroy their copy of the data.
One can safely say that it's Uber that got taken for the ride here, and all the rest of us paid the fare.
Yet that's completely in line with the way that data breach fines have tended to be priced. When I looked at the October 2015 breach of systems at the UK internet service provider (ISP) TalkTalk, in which a forgotten system was discovered by some hackers, who then copied personal data (names, addresses, birthdates, addresses) for 157,000 people, the eventual fine a year later - again from the ICO - was £400,000. That was a record, but it only works out to £2.50 per head. The ICO felt TalkTalk's failings were particularly egregious, at least compared to Uber.
What shocked me more, though, was discovering that TalkTalk had been fined far more for providing poor customer service (while not releasing customer details) - both per person and in total - than it was for letting their details be released to the internet. As I document, the UK's communications regulator, which has powers over TalkTalk's role as an ISP, ordered the company to pay 65,000 customers a total of £2.5m (about £38.50 each) as recompense for calamitous mixups in its billing. Ofcom later fined TalkTalk £3.1m for the mixups (about £47.70).
In all, about £86.20 per affected customer, for annoying them over their accounts for a limited period of time. Contrast that with the fine for a failing which lets people annoy you endlessly, and ponder why one is substantially less than the other.
Of course, the TalkTalk fine, and the Uber fine, were applied before the introduction in the EU of the GDPR - the set of regulations which allow privacy commissioners to levy fines of up to 4% of a company's worldwide revenue. Given that its 2016 revenue (when the hack happened) was $6.5bn (£5.05bn), that would mean that the ICO could levy a fine of up to $260m - or $86 (£66.80) per person affected. In other words, even the maximum still isn't as much per person as Ofcom imposed for screwing up billing. And despite its size, it's still not as much as you might set as the base value for that information.
The ICO doesn't share how it sets its fines (I have asked it, to no avail) but it seems like it's either setting the per-head figure too low, or favouring companies too much.
Of course, you might think that all this is irrelevant; that the key question is to look at how Uber got hacked, and prevent it ever happening again. Lock down the systems! Put up the walls! Keep the hackers out!
Unfortunately, the only way to do that is to disconnect those systems from the internet. Even then you don't make them completely safe: other companies have seen staff with privileged access steal data, or in a few cases leave "logic bombs" to delete everything if they don't log in for a certain number of days (because, of course, they've been fired).
The key lesson that I heard from hackers and security experts alike when I was researching Cyber Wars was that the old assumptions, that a company can protect itself completely from hacking, is outdated. You have to assume they can get in, and work forward from there: how do you minimize the damage? The reality is that in the end, everyone gets hacked; it's only a matter of time and severity. Time? By making systems more robust and less reliant on outside sources, you can improve their resilience. Severity? If all your corporate data is held in a single database, where access to that grants someone all your data, you're asking for trouble. Distribute the data into smaller databases, and hire "pentesters" (penetration testers) who will try to break in and will show you where the weaknesses lie.