This question came to the forefront last week when it was discovered that Uber had paid hackers $100,000 in October in order to keep from reporting a breach of their customers and drivers account data. Their Chief Security Officer and one of his team members were fired this week as part of the fallout from this decision. Here are some of the reasons why:
- It’s the law. State law often mandates a specific timeframe in which affected parties must be notified if their data has been exposed/accessed by an unauthorized party. Despite Uber’s argument that the data was restored to them after they paid the ransom, the fact remains that the hackers accessed the data despite the fact that they were not authorized to have access.
- There is no honor among thieves. The hackers made $100,000 from the data. That doesn’t mean that they didn’t keep a copy of the files to either extort more money from Uber at a future date to remain quiet about the breach or that they will not also sell the data on the dark web to make more money.
- Uber is now subject to additional fines and litigation for knowingly not following the mandates to disclose the breach, and leaving the consumers and drivers who had their data exposed without the opportunity to immediately take steps to protect themselves from damages by signing up for credit monitoring and/or freezing their credit and changing any credit card accounts that were exposed.
Does paying the ransom mean you don’t have to report a cyber incident? The law, compliance mandates that protect data, your ethical obligation to protect your customers and your staff, and this example would all show that the answer to this question is a resounding “N0”. Be informed and prepared for how to handle incident response by consulting a firm that specializes in preparation, detection, recovery, and post incident.