"I don't know what's scarier, losing nuclear weapons, or that it happens so often there's actually a term for it."
In the film "Broken Arrow", we watch with bated breath as Christian Slater battles to stop John Travolta from making off with a nuclear warhead that has been misplaced, as one does from time to time. And we discover that losing a nuclear weapon is referred to as a “broken arrow”.
The term “Data breach” has become a synonym for a hack on your business, loss of a USB stick full of client information, an Advanced Persistent Threat and every other flavour of cyber-attack. However, when Grant Thornton’s team are assisting our clients with a “cyber incident” we work carefully with our clients to not use the term “breach” – it carries with it an assumption of blame and legal conations that should not be self-applied if possible.
This week we discovered that taxi-on-demand company Uber has acknowledged that hackers stole personal information affecting 57 million drivers and passengers, nearly a year ago. Uber paid the hackers $100,000 to destroy the information and keep the breach quiet.
“Notification Fatigue” is impacting many of us: our data has been lost by so many businesses, so many times, it’s almost difficult to stay on top of who has NOT lost our data. Perhaps if Uber had merely admitted the loss of data back in October 2016, beyond shrugging of shoulders, the impact may have been relatively short lived; see our work on the valuation of a business post cyber incident, here:
Unfortunately, proactive efforts to hide the loss from the data subjects and the data regulators may well have aggravated the damage that could flow from this incident. Certainly the damage to their brand will be more acute.
But is it a breach?
Not every loss of data is a “data breach”. “Breach” perhaps implies that an external effort had to be made to break through defences and “breach” security, using sophisticated means to steal the data and then return back to the darker regions of the cyber world.
However, on this occasion, it seems that the Uber data loss came about when hackers discovered that the company's coders had published code on the exceptionally popular source-code repository GitHub. This code included their usernames and passwords. Those credentials gave the hackers access to the developers' privileged accounts on Uber's network, which carried with them access to sensitive Uber servers hosting rider and driver data.
Data was lost, but is this a data breach? Perhaps, but misconfiguration of security on cloud servers such as Amazon Web Services, GitHub, Dropbox and other semi-publically accessible repositories is becoming an increasingly common occurrence as we host more data in the cloud (aka someone else’s computer).
Stealing data from a less than secure system does not necessarily require sophisticated efforts and breaching of security. If I leave my wallet on a park bench, I should not be surprised if casual efforts by a less than moral passer-by means that I don’t see my money again.
Not all data losses are data breaches. Sometimes, it’s just failure to secure data that is valuable, private, and certainly precious to the users who find their data stolen, once again.
Perhaps it’s time to call Christian Slater.
Image: Twentieth Century Fox
"If Uber knew and covered it up and didn’t tell the FTC, that leads to all kinds of problems, including even potentially criminal liability," says William McGeveran, a data-privacy focused law professor at the University of Minnesota Law School. "If that's all true, and that’s a bunch of ifs, that could mean false statements to investigators. You cannot lie to investigators in the process of reaching a settlement with them."