Uber Hack: A Company in Need of Risk Management Rehab
Steven Minsky | Dec. 6, 2017
The hot water in which Uber has been simmering has just reached new thermal heights. Back in October 2016, hackers stole the personal data of 57 million customers and drivers containing their names, email addresses, phone numbers, and in the drivers’ cases, their driver’s license numbers. They finally disclosed the breach this month.
Now, in comparison to the scope and nature of other breaches such as Equifax and Yahoo, the Uber hack may appear to pale in comparison. However, this company represents countless organizations who have perpetrated repeated failures in risk management.
Other examples include Wells Fargo and Chipotle. My first Wells Fargo cross-selling blog foreshadowed their July 2017 data breach and auto loan scandal. Chipotle keeps poisoning their customers with food borne illnesses, and while two CEOs have stepped down, the food borne illnesses keep occurring.
Wells Fargo is a bank, Chipotle is a restaurant, and Uber is a ride-hailing company; yet, these seemingly unrelated companies have something in common. They have failed to identify the root cause of their risk, and so have fallen victim to multiple, preventable, failures in risk management. To this we say, time for risk management rehab.
Repeated scandals due to negligence in risk management will continue to produce additional scandals in other business areas that on the surface look different, but are caused by the same failed risk management processes and systems, until they’re addressed.
We can take a look into the Uber hack along with the other missteps Uber has perpetrated and see that there is a common thread between them that not only includes the absence of healthy risk practices, but a lack of senior leadership that recognizes the true value of these practices.
The Uber Hack Was Concealed for Over a Year
The Uber hack occurred in October 2016, but was not disclosed until this month, November 2017. After obtaining the information, hackers approached Uber with a demand for ransom. The company’s CSO and one of his deputies were able to keep the hack under wraps for a time by paying the attackers $100,000.
The problem is that there is a patchwork of state and federal laws that require companies to alert people and government agencies when sensitive data breaches occur. Uber was obligated to report the hack of driver’s license information at least, and failed to do so.
When this breach occurred, Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data.
Uber has earned a reputation for falling short of protecting its customers and drivers since its founding in 2009. The U.S. government had opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes, and theft of intellectual property. And, of course, the company suffered a sexual harassment scandal that surfaced in February 2017.
Good Risk Management Means Good Risk Culture
What we’re seeing at Uber and in their scandals is a common thread of bad risk culture, which is defined as weak governance processes and lack of an effective risk management system. In all of these instances, having an enterprise risk management program in place would have given the company the tools to prevent scandal.
In the case of the Uber hack, an ERM system could have identified and filled any gaps in their cybersecurity policies and procedures. And then, even if a breach did occur, it would have recorded their efforts towards improvement and automatically triggered alerts to relevant parties of the breach’s occurrence. Both measures would have safeguarded them from financial penalties.
However, these systems are only as good as the people who encourage their use.
In order to leverage ERM’s full potential, there needs to be pervasive tone-from-the-top support. Joe Sullivan, Uber’s Chief Security Officer at the time, his lawyer Craig Clark, and former CEO Travis Kalanick deliberately chose bribery over adhering to federal regulations.
In the case of the Uber hack, an ERM system could have identified and filled the gaps.
Companies need to be run by boards and C-suite executives that understand the importance of a healthy risk culture. Part of this culture is recognizing that compliance is more than a check-box exercise. Regulations exist to protect stakeholders of all kinds, from employees to consumers to investors. Uber may have avoided litigation and reputational catastrophe for a year, but the truth ultimately surfaced, as it always will in today’s see-through economy. Now, Uber will not only suffer the consequences of lofty financial penalties, but also of consumer outrage, as their users and drivers syphon into their competitors’ hands.
What Does the Future Hold for Uber Post-Hack?
The Uber hack is the latest scandal the new CEO, Dara Khosrowshahi, has inherited from Kalanick. In an emailed statement, he wrote, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”
As a part of his goal to change Uber’s ways, Khosrowshahi asked for the resignation of Sullivan and fired Clark. This is an important step in building a new, healthy risk culture. The new CSO, as well as the new CEO, must comprehend the root cause of their issues and perform every effort to imbue their company with a culture that sees risk management as a top priority for keeping their reputation clean and their stakeholders safe.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” Only time will tell if Khosrowshahi learns the right lesson and takes this opportunity enroll his company in risk management rehab.