Your secrets aren’t safe online
Recent data breaches are part of a larger culture of unethical conduct within organizations.
Equifax knows your financial worth and holds the keys to your identity.
Uber knows where you are, where you’re going and where you’ve been.
Both companies have been the victims of massive data theft. And over the last two weeks, it’s been revealed just how spectacularly they failed to respond. Rather than trying to protect their customers, their instinct was to protect their brands.
Uber’s failure was, as usual, more brazenly unethical than other companies in similar circumstances. According to a Bloomberg article published Tuesday, hackers, whom Uber is refusing to identify, stole login credentials from Uber engineers stored on a Github site, then used those to access their Amazon Web Services account, where they discovered user data for 57 million riders and drivers. The hackers contacted Uber and offered to delete the data for $100,000. Uber’s chief security officer paid the ransom and then demanded the hackers sign nondisclosure agreements to prevent the public from discovering the scandal.
It was a poor investment. ’Cause we found out.
Immediately after the news broke, the New York attorney general opened an investigation. Uber may have violated state and federal breach disclosure laws. A few hours later, users filed a class action negligence lawsuit in federal court.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
I’m not aware of any material damage resulting from the Uber breach. Rather, what’s most offensive at this point is the way the company reacted. If your driver’s license number, name, phone number and email address was stolen by a criminal, wouldn’t you want to know about it? There are steps you can take to minimize the risk of identity theft, which the Federal Trade Commission lists on its website. The sooner a victim of a data breach takes those actions, the more likely they are to avoid long-lasting harm, like credit score damage.
Uber knew the risk to its customers and drivers, and it didn’t care.
Equifax didn’t care, either. Executives there didn’t try to cover up the scandal by tracking down the hackers and entering into a secret agreement with them. But they did wait more than a month before disclosing the data breach to the public.
Worse, three managers sold $1.8 million worth of stock after the company learned of the data breach and before reporting it to the public. Equifax claims the three men were unaware of the breach when they sold “a small percentage” of their shares, but they haven’t offered evidence; attorneys representing victims of the breach called it one of the company’s “misdeeds” in a class action lawsuit. (I gave Pacer my $5 so you can read the complaint here.)
The complaint lists 52 plaintiffs whose lives have been disrupted just because they checked their credit score. “Mr. Harris has experienced fraud, as false loans have been opened in his name,” reads one typical narrative. “In addition, Mr. Harris paid out of pocket for a credit freeze and credit monitoring as a result of the Equifax breach. Also as a result of the Equifax breach, Mr. Harris has spent numerous hours monitoring his accounts and addressing issues arising from the Equifax Data Breach.”
Vanuel Harris, a guy from Alabama, trusted that when he used the company’s service, the company would safeguard his most vital information. Instead, it made mistakes that allowed his information to slip into the hands of thieves. Then, rather than informing him immediately, they waited until enough time had passed that those thieves could open lines of credit in his name, leaving him to deal with the fallout.
This lawsuit faces an uphill battle. Harris and all the others will need to find a way to prove the Equifax breach was the reason for the fraud. You can bet Equifax’s lawyers will try to obfuscate. The irony here is that the more companies mishandle your data, the more difficult it will be to prove negligence on the part of any one led to a particular identity theft.
Your private data are valuable to tech companies until they’re not. As soon as your personal information is a liability, they rush to cover their tracks. These actions indicate a profound disrespect on the part of technologists toward consumers.
That’s something I can understand. Imagine looking at a file with a wonky name, like ud_062015.xz, and it contains the personal information of 57 million people. It’s not possible to think about the individuals’ lives inside it. Our brains can’t handle that scale. A file like that is just data. Data that got stolen and is going to make the company look bad.
Technology is as much a barrier as it is a bridge. We can’t even be civil to each other on Twitter. What may be the singular moral question of this century is: How can we create a digital society that’s more decent than our physical one? How can we humanize an avatar or a dataset?
I’m not just talking about companies’ carelessness with and abuse of our data. This is part of a larger ethical crisis in businesses—for profit and not—around the world. From Charlie “Shower Trick” Rose to Travis “Take Responsibility For Their Own Shit” Kalanick, corporate culture has become (or has always been) thoroughly depraved. People in positions of leadership can’t seem to maintain a healthy sense of perspective about their work.
Often, employees are aware of ethical breaches and say nothing, like the Rose staffer who said, “Oh, you got the shower trick.” In some cases, these employees are basically complicit; in some cases they’re not.
As many have observed, speaking up against wrongdoing becomes a brand that may not ever come off.
Even Barack Obama, the progressive savior, used his administration to forcefully lash out at those who tried to do the right thing by helping to expose the government’s torture and mass surveillance programs.
When Obama is part of the problem, then you know it’s a big problem.
Restoring respect to corporate culture is a big job. My own view is that it will require some kind of national movement to install empowered ombudsmen within every organization: an office that can investigate ethics claims impartially (as an organ of the board of directors perhaps) and punish wrongdoing. People behave badly when they believe they can get away with it. To create a broader change, heads must roll.
If you enjoy my column and other writings on Medium, consider becoming a member.