57 million Uber riders and drivers hit by data breach

A year ago, the personal data of 57 million Uber riders and drivers was taken by hackers. Uber paid the hackers $100,000 to destroy the stolen data and refrained from disclosing this breach until now.

The stolen information included names, phone numbers, email addresses, and drivers’ license numbers. Luckily, credit card and Social Security numbers were not compromised.

Can you trust that your personal information isn’t being used or should you take action?

Uber’s CEO released a press statement yesterday, which stated that drivers and riders do not need to take any action. The company has been and is monitoring the affected accounts. However, Uber does encourage individuals to monitor their credit accounts.

In light of the recent Equifax breach, individuals are taking note of whether their personal information is being secured by organizations. It’s becoming more and more important for organizations to take step to improve their cybersecurity and data protection policies and procedures. If they do not, they risk reputational damage and monetary loss.

Are there any laws governing data security and breach notification to protect individuals?

In the US, there is a patchwork of industry-specific federal laws and state legislation that enforce breach notification and data security regulations.

Some states, like New York, have proposed state-wide data security acts to protect their residents. SHIELD, also known as  , was introduced into legislature as a program bill by Attorney General Eric Schneiderman. SHIELD will apply to all companies handling the sensitive personal data of New York residents, whether those companies do business in New York or not. Failure to comply could result in companies facing civil suits and penalties of up to $5,000 per violation or $20 for every instance of failed notification, up to a maximum of $250,000.

On the Federal front, the Consumer Privacy Protection Act of 2017 (H.R. 4081) was introduced on October 19. The Act calls for a specific notice period to disclose breaches and mandate organizations having a data security program in place that protects consumers’ privacy. The program would require risk assessments and management, employee training, and vulnerability testing. This Act, like the New York SHIELD Act, would impose monetary penalties to organizations in violations of these requirement.

How can you prepare your organization for these upcoming data security laws?

Having an information security management system in place can help you mitigate cyber attacks and ensure your entire organization is taking steps to do so. Certification to an international standard such as ISO 27001 can provide customers with assurance about your company’s information security practices.

Find out more about ISO 27001 here >>