Reflecting back on the data breaches in late 2017, the need for mandatory breach notification and reporting requirements in Canada couldn’t be clearer. After Canadians were left in the dark for quite some time on the impact of the Equifax breach on Canadians’ personal data before it was finally confirmed that the breach affected 8,000 Canadians, it once again took pressure from the Canadian media and the start of an investigation by the Office of the Privacy Commissioner of Canada (OPCC) before Uber stated that 815,000 Canadian were affected by the 2016 hack that compromised the ride-sharing company’s customer data. Hackers accessed the data of 57 million Uber users stored on a third-party cloud-based service. The information included names, e-mail addresses, phone numbers, and drivers’ licenses.
Security professionals have raised alarms about Uber’s careless development team and poor security practices, while privacy advocates raised alarms at how Uber handled the breach in the first place. It seems that Uber’s programmers uploaded security credentials to a GitHub repository – GitHub is an Amazon public cloud server where you are supposed to store open source code, not security keys. While the repository was password-protected, hackers were still able to gain access, indicating either a very weak password or the fact that the user credentials for the repository were found in a previous unrelated data breach that Uber had experienced. And even though Uber specifically promised regulators that it would use two-factor authentication on services like GitHub, it clearly failed to implement that promise.
The hackers were two individuals who claim they were paid a $100,000 ransom to keep the breach quiet. Uber said it does not believe individual riders need to take any action given the breach, as they have seen no evidence of fraud or misuse tied to the incident
Authorities in the United States have launched investigations into the breach – state laws require companies to give notice if data is stolen or compromised. Uber also faces potentially higher than usual fines from British authorities because the company did not promptly disclose the hack as required by laws in the U.K. Canada, however, does not have laws requiring disclosure of data breaches, as draft regulations amending PIPEDA on this very point have not been finalized. When they are, not only will the new rules require reporting breaches to the OPCC and notifying individuals, but organizations who fail to do so, or who don’t maintain detailed records of data breaches, could face fines under the federal private sector privacy law.
Demonstrating accountability and being upfront about a data breach helps to retain customer trust, but clearly, reputational damage isn’t enough to force organizations to be transparent about a data breach. When something goes really bad, there is a human tendency to want to cover up – fear of the repercussions can quickly win over doing the right thing. Organizations act only through the human beings involved of course. Uber’s new CEO certainly got it right in confronting this breach head on. The company let go of two employees who led the response to the hack, including Uber’s Chief Security Officer. And as expected, numerous class action lawsuits are being filed against Uber. Hopefully the breach notification and reporting rules coming to Canada will result in responsible breach management and response, as well as transparency for consumers on the risks to their privacy.
Even with strong security practices in place, it is impossible to guarantee that data breaches won’t happen. Companies need to be prepared for when they do, including how to communicate with the regulators and their customers in a timely manner. 2018 will hopefully be the year that the PIPEDA breach notification and reporting regulations come into force, strengthening Canada’s privacy law for the better.
About the author
Fazila Nurani, Senior Counsel and Lead Trainer, PRIVATECH