Uber on Tuesday admitted to paying hackers $100,000 to cover up a major cybersecurity breach that exposed the data of 57 million customers. Revealed by the company’s new CEO, Dara Khosrowshahi, the incident is the latest in a string of controversies that have called the company’s integrity into question.
While there are still unanswered questions regarding the cyberattack, analysts are already speculating about the future of Uber after it ignored data breach disclosure practices. At the same time, furious customers are concerned that the private information they gave Uber is being sold on the dark web.
Which brings up two of the biggest questions coming out of the revelation: “Will Uber get punished for failing to protect its customers?” and “What should Uber customers do now?”
What happens to Uber?
The fallout after Uber’s admission has been swift and uncompromising. Less than 48 hours after Uber confessed, multiple governing bodies opened investigations into the company’s practices.
New York Attorney General Eric Schneiderman said his team already launched an investigation into the incident. New York law requires that companies notify the attorney general’s office and customers if the information of U.S. citizens is stolen.
The Connecticut attorney general will also intervene. A spokesperson for Attorney General George Jepsen confirmed to Reuters that the team will launch an investigation into the data breach. While they declined to confirm whether other states would open up their own investigations, some experts believe it’s only a matter of time.
“This latest breach du jour is going to fire up already angry consumers, who are going to demand action and protection,” Ken Spinner of cybersecurity firm Veronis told CBS News. “Every state attorney general is going to be salivating at the prospect of suing Uber.”
The punishments for failing to disclose the security breach aren’t just limited to the United States. Bloomberg reports that Uber faces three probes in Europe since coming clean. Italy’s defense protection chief is now investigating what he calls, “the obvious lack of adequate security measures.”
“We can only express our deep concern about the breach,” Antonello Soro, president of the Italian authority, said in a statement. “We have opened an investigation and we are collecting all the useful elements to assess the extent of the data breach and the actions to be taken to protect any Italian citizens involved.”
Several regulatory agencies in the U.K.—the Information Commissioner’s Office, National Crime Agency, and National Cyber Security Centre—also announced investigations into the data breach, which could result in Uber paying high fines.
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics,” James Dipple-Johnstone, deputy commissioner at the U.K. Information Commissioner’s Office, told the Financial Times.
The Netherlands, where Uber has its European headquarters, is also looking into the data breach, according to Bloomberg.
These probes could lead to further setbacks for the beleaguered company, which is losing its grip in several major cities. London recently revoked Uber’s license to operate in the city. London Mayor Sadiq Khan argued that it failed to “adhere to the high standards we [London] expect—particularly when it comes to the safety of customers.”
If there’s a silver lining for Uber, it’s that it narrowly escaped regulations that will impose huge fines against companies that conceal data breaches. The General Data Protection Regulation, which goes into effect in May next year, would have forced Uber to pay either 4 percent of its global annual revenue or 20 million euros, whichever is higher.
What can Uber riders do?
Uber customers are rightfully concerned about their private information. Uber claims hackers deleted the data—which it says did not include credit card information, social security numbers, or trip details—after they were paid. But some experts consider Uber’s “solution” naive.
“How could any business or IT executive believe hackers would be true to their word and destroy stolen data?” Steve Morgan, CEO of Cybersecurity Ventures, writes. “Especially when that data could fetch even more money on the dark web.”
It’s always a good idea to assume you were hacked, which—you guessed it—means you should change your passwords. Try something you haven’t used before that is hard to guess and has many characters. Also, keep a close eye on your accounts, including social media, banking, and email. If anything looks unusual, notify the service.
To change your password on the Uber app, select “help” from the app menu, then “I can’t sign in or request a ride” and “I forgot my password.”
Or, you know, delete Uber once and for all.