Earlier this year, Twitter suffered a data breach that affected 5.4 million users. In 2016, Uber suffered a data breach that compromised personal information of 57 million users – including both drivers and passengers. Each company responded very differently to their respective cyber-attacks, presenting an interesting case study of what to do and not to do following a cyber-attack.
Twitter released a statement on their privacy center in August 2022 informing users of a January 2022 vulnerability in their systems. It was only in July 2022 that they learned that user data was compromised, so they informed their users of the data breach and provided information on how to proceed.
Uber’s situation was a bit more complicated. In November 2016, a data breach was not disclosed until a year later, in November 2017. In 2016, Uber was working with the Federal Trade Commission on an ongoing investigation into an unrelated 2014 Uber data breach. According to Wired, Uber’s then chief security officer (CSO), “gave a sworn deposition to the FTC about the  incident and steps Uber had since taken to improve its digital security practices.”
However, ten days following his deposition, the former chief security officer learned of a new data breach and did not disclose it. According to Wired, the former Uber CSO is now “convicted of spearheading the effort to cover up this breach by paying the hackers $100,000 through the company’s bug bounty program…These actions amounted to a failure to report a felony, according to the DOJ, and resulted in a ‘misprision of felony’ charge.”
When in doubt, remember these three guidelines:
Do not pay ransom
According to The Verge, if you pay a ransom to gain a key to unlock your hacked device, cyber hackers know you are going to pay, so they may renege on the deal or come back later and try again.
Do not hide data breaches from users or governing authorities
In the event you are hacked, your users need to know as soon as possible that their data may be at risk. Provide a full disclosure with all available information as well as available remedies and fixes for those impacted. If you are required to report such breaches, do so immediately and with full candor.
Plan for the future
Zero Trust methodology assumes your organizations data is constantly under threat and companies must commit to being proactive to prevent the inevitable attacks that will occur. Get in touch with Sharp Decisions to learn how we can prepare your cyber defenses for the future and protect your data.
It is never a bad time to shore up your company’s cyber security defenses. Sharp Decisions identifies and protects against cyber threats across the world. We provide assessments and protect our clients against the threats of today and prepare them for the attacks of tomorrow. Combining the knowledge of our “elite technical SWAT practitioners” with our skilled cybersecurity experts, we offer protection solutions and minimize downtime caused by cyber threats and attacks.