Solution providers say the cover-up is worse than the crime after Uber failed to disclose that hackers had stolen information from up to 57 million accounts last year in a massive data breach.
In a post Tuesday evening, Uber disclosed that the information of both rider and driver accounts had been stolen last year. According to a separate report by Bloomberg News, the company in October 2016 paid the data thieves $100,000 to delete the data and keep quiet about the breach.
"As Uber's CEO, it's my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes," said Uber CEO Dara Khosrowshahi in a blog post.
Two hackers stole data in both rider and driver accounts that included phone numbers, email addresses and names from a third-party server, according to Khosrowshahi.
Khosrowshahi said that the deal in which Uber paid the data theives was arranged by the company's chief security officer, Joe Sullivan, who has been fired. It was also arranged under the watch of former CEO Travis Kalanick, who left the company in August.
According to Khosrowshahi, the incident did not breach Uber's corporate systems or infrastructure. In addition, he said that Uber has not seen any indication that rider and driver trip location history, credit card numbers or Social Security numbers were downloaded.
Frank Vitagliano, CEO of Computex Technology Solutions, Houston, No. 121 on the 2017 CRN Solution Provider 500, said from the outside looking at the Uber breach it is hard to know all of the facts, but on the "surface it does appear that waiting 13 months to disclose something that potentially could impact people is questionable at best."
The Uber security issue requires a hard look at all aspects of the breach, said Vitagliano. "I heard something a long time ago that this reminds me of: The cover-up is usually worse than the crime," he said. "More and more, you see stuff going on regardless of what it is and then you realize that people are trying to avoid it and cover it up. It would be much better if people came out with it quickly, admitted something is wrong and fix it."
Douglas Grosfield, CEO of Five Nines IT, a Kitchener, Ontario, strategic service provider, said that it is "criminal negligence" for any company to not report a breach to impacted customers.
"My advice to any company big or small is to cover all the security bases adequately – including data leak protection, remote device management and education – and if something does happen, and you discover you're breached, it is not only imperative to your brand but also reputation and liability to report it to the impacted companies," he said.