Clarkson Steers A Transparent Bearing As Uber’s Reputation Hits The Rocks
Clarkson, one of the world’s largest providers of shipping services, notified the public this week that it had suffered a security breach and forewarned that the perpetrators may release some of the stolen data.
The company admitted that attackers had gained access to its systems using a single compromised user account and, although scant details have been provided due to the ongoing law enforcement investigation, Clarkson declared they had been targeted by cybercriminals trying extort a ransom in order to avoid having its data leaked online.
In a refreshingly proactive and honest response, Clarkson has been very transparent about the incident and stated that they hope their clients would understand that the company would not be held to ransom by criminals. They have already notified and apologised to affected customers and have been working with law enforcement in relation to this incident. CEO Andi Case has also said Clarkson will endeavour to share the lessons learned with their clients to help stop them from becoming victims themselves.
Clarkson should be praised for refusing to pay the ransom demanded by the attackers as there are a number of other companies who have previously been all too willing to pay such ransoms in order to prevent data breaches becoming public knowledge. For example, HBO allegedly offered $250,000 to hackers who were attempting to extort them for millions and a South Korean web hosting provider negotiated with cybercriminals and paid $1 million after around 150 of its Linux servers were compromised.
In the most recent example, and the latest in a string of public relations disasters for Uber, last week it was revealed that the company had concealed a significant breach of the personal information of 57 million customers and drivers in October 2016. Having failed to inform the individuals affected or Uber’s regulators (even though the company was in talks with US regulators at the time over separate claims of privacy violations), the company also confirmed it had paid the hackers $100,000 to delete the data and keep the breach quiet.
It has emerged that the perpetrators, who managed to obtain login credentials to access data stored on Uber’s Amazon Web Services account, stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the US. The company have since admitted that the breach involves approximately 2.7 million riders and drivers in the UK, but that details of location, credit card numbers, bank accounts, social security numbers or dates of birth were not accessed. Uber says riders do not need to take action and they have so far seen no evidence of fraud or misuse tied to the incident. However, as a precaution, we recommend users change their account passwords and remain particularly vigilant to any potential phishing emails or scam phone calls.
The most concerning aspect of it is, rather than immediately reporting the issue as Clarkson have, a choice was made to suppress the incident which is not only a poor risk management decision, but also in violation of breach notification laws in many jurisdictions. In Parliament last week the UK’s digital minister, Matt Hancock, was asked whether Uber had broken the law in relation to the breach. He said there was a very high chance the way Uber revealed the breach was “illegal under U.K. law,” with any legal action being a matter for the British courts.
Ignoring the fact that Uber’s initial response to this incident was clearly inappropriate, it raises an interesting debate about what an organisation’s threshold might be in the future if criminals were to hold them to ransom, either to retrieve lost data or to restore online systems if they have suffered a service deniability attack. Cyber criminals are acutely aware of the amount of money and credibility that can be lost if a business was to be taken offline for even a short period of time. Subsequently, if a future cyber incident does occur where there is no legal obligation for the company to report it, Board members could be faced with a complex dilemma as to whether to meet any criminal demands to resolve and suppress the incident, or risk the reputational and financial implications of it going public.