When Personal Data is No Longer Yours: Lessons From the Uber Breach

It’s a familiar tale by now: a high-profile organization comes forward, well after the fact, to acknowledge that it suffered a cybersecurity breach that affects multitudes of consumers.

But in the latest case – involving rideshare giant Uber – the breach itself may not be the most significant part of the story, argues cybersecurity expert Dr. Jason M. Pittman, who teaches at Capitol Technology University.

On Tuesday (November 21) Uber disclosed that it paid $100,000 to hackers who accessed 57 million users’ personal data in 2016. Uber says the hackers promised to destroy the stolen data, which included names, e-mail addresses, phone numbers, and in some cases license numbers.

Although the hack and attempted payoff have stirred up a media storm, Pittman says, the weightier question is “what was Uber doing with all of this data in the first place?”

“The real story here is about the use of information as currency. Uber takes our data and generates revenue through business relationships built entirely on that data,” he said.

Uber, he noted, has data-sharing business agreements with various companies. Numerous media sources, including Buzzfeed, the New York Times, and The Washington Post, have reported on Uber’s ability to collect, view, and share personal information. Being able to sell this data to ancillary services, such as their partner MoviePass, is part of Uber’s business model – and a key reason why it is able to keep fares well below those of traditional taxis.

This also explains why Uber stores user data in the cloud and did not impose tough internal controls on access.

“Business-to-business integration is easier to achieve with a cloud service model than with an antiquated, self-operated data center model,” Pittman said. “And controlling access to driver and ride information could negatively impact business operations.”

While data-sharing arouses alarm in some quarters – especially when that data gets hacked -- the reality is more complex.

“It’s not in itself a malign phenomenon,” Pittman explains. “Think of the potential good that can come about from information sharing between Uber and Moviepass. Uber knows that a movie’s a hit, so it can make sure sufficient drivers are in the area. Moviepass understands your behavior, so it can inform you of movies you’d like to see and make it easy to get tickets. And then getting a ride there and back is a snap.”

As more and more companies strike deals based on data, tough questions will arise about their responsibility to safeguard that information. The legal and ethical implications remain unclear, Pittman says, because consumers voluntarily cede control of their personal data when they sign up for services like Uber, giving up privacy in exchange for convenience.

“Does Uber have a responsibility to keep this data private?” Pittman asks. “Is it reasonable to expect that our individual claims to privacy extend to a company we've willingly transferred our data to?

“Or, is this simply a sign of the inevitable transition from the Information Age to the Virtual Age? Maybe our concept of information and privacy is what needs to change.”