| Individuals December 19, 2017

December 19, 2017

Why the Uber breach matters even if you’re not a customer

By Lookout

As the size and impact of breaches accelerates, individuals need to stay on top of breach notifications even more than ever. Unfortunately, you can't always rely on the breached company to tell you everything you need to know.

In November, we learned that California-based Uber had a massive data breach that affected over 57 million of its customers worldwide. In addition to publicly-available information, such as names, email addresses, and phone numbers, over 600,000 Uber employees had their drivers license numbers stolen. Uber officials reportedly learned of the breach in October 2016 and Reuters reports that the company may have attempted to cover the breach up by paying an individual through a "bug bounty program," typically used to reward researchers for finding vulnerabilities in corporate systems.

Last month we discussed how the full details around Yahoo's massive breach didn't become clear until years after the breach.

This all points to the fact that sometimes the companies themselves cannot or do not release full information about data breaches to their customers.

How are you supposed to know when your sensitive personal information has been breached?

Legislators in the state of California first wrestled with this question way back in 2002. As a result, it was the first state to enact data breach notification laws. Since that time, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have all put through very specific legislation that requires any organization, company, or government entity to notify individuals when their personally identifying information has been compromised.

Remember, California was the frontrunner in enacting data breach notification laws in 2002 (and recently updated the legislation in 2016). The original bill states, "Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

Because of the nature of data breaches, with many company companies often not know when or how they've been breached, there's a lot of grey area. With limited oversight, how can you trust that a given company will disclose a security breach? For example, Equifax needed six weeks to disclose its breach that compromised Social Security numbers, birth dates, and home addresses of up to 143 million Americans. Yahoo's 2013 data breach was far larger than reported a year before because details were still coming to light. Uber may have specifically avoided a public conversation about its breach.

Individuals need to do three things:

  • Be aware of any headlines or news about data breaches impacting companies or services you patronize
  • Be willing to contact that company for more information when a report of a potential data breach comes out
  • Use a monitoring service to get alerts any time your personal information shows up on the dark web

The big picture

We - as individuals and consumers - expect to be notified quickly and with helpful tools and resources to move forward. In fact, the law of the land demands it. Yet, as we're learning, we can't always rely upon companies and organizations to notify us about breaches - at least not in a timely fashion even when the law dictates it.

Insead, be vigilant and proactive. If you hear about a breach, call or email the company and ask if your information has been stolen or if the reports are true. Breach Report is a useful asset here. It offers you the latest information and updates you need to stay on top of your privacy and to take yet another step in protecting your personal information and data. Upgrade to Premium Plus now.