Cyber insurance attracts further attention as another major company falls prey to a data breach.More than a year after it occurred, ridesharing platform Uber announced that it suffered a massive security intrusion that enabled hackers to lift personal information from 57 million customers and drivers. The company also admitted that it failed to inform state and federal authorities of the breach within six to eight weeks of it, as required by the laws of most states. The company further reported that it paid $100,000 to the unidentified hackers to ensure that the data was erased and the breach was not made public.
CEO Dara Khosrowshahi, who was named to that position in September after the ouster of former CEO Travis Kalanick, told Bloomberg that the company implemented measures to protect sensitive data stored in the cloud and restricted access to those accounts by unauthorized parties once it discovered the breach. The company said it does not believe that any accessed information was fraudulently used.
What Was Accessed
Data illegally gathered during the October 2016 breach included the names, email addresses, and phone numbers of 50 million Uber riders across the globe. Hackers also collected basic personal information and the license numbers of roughly 7 million drivers, including approximately 600,000 in the United States. Uber said that Social Security numbers, credit card information, trip location details, or other data were not accessed, but it added that it will provide free credit monitoring and identity theft protection to any drivers whose licenses were misappropriated.
According to Uber, the breach originated when the hackers infiltrated a GitHub coding site used by the company’s software engineers. Using stolen credentials, the hackers were able to gain entry into an Amazon Web Services account where Uber stored data. After breaching that account, the hackers unlocked an archive filled with rider and driver information. The hackers reportedly emailed Uber telling them they had seized the data and wanted money in exchange for keeping the information private.
The breach has already prompted a flurry of investigations and lawsuits. The Washington Post has reported that at least three potential class action suits are in the works, while the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois have all launched investigations.
A spokesperson for the Federal Trade Commission (FTC) confirmed to Reuters that the agency is also looking into the matter. “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach,” the FTC spokesperson said. “We are closely evaluating the serious issues raised.”
News of the Uber breach hit just after several major corporations were targeted by hackers. including Equifax and FedEx. Insurers also have experienced security trespasses in recent years. In August, Nationwide Mutual Insurance Co. agreed to pay $5.5 million to 33 states to settle a 2012 data breach that exposed the personal information of 1.27 million people. After hackers penetrated the personal data of 79 million in 2015, health insurer Anthem paid $115 million to settle the case.
Insurers, Agents Respond
As data breaches and ransomware attacks continue, corporations will increasingly explore cyber insurance to indemnify themselves against the enormous damages inflicted by hackers stealing customers’ personal information. After its security hack, FedEx said it would consider purchasing a cyber insurance policy. Even if a corporation holds cyber insurance, however, it may not fund all expenses associated with a breach. FedEx, for example, conceded that its cyber policy may fall short of covering every claim. Meanwhile, insurers confront the challenge of underwriting risk in a relatively new field where predictive models have yet to be fully established.
For insurance agents, cyber security presents an opportunity to discuss with their business clients the importance of protecting sensitive private data that may not be covered under a broad commercial insurance policy. Similarly, insurance agents may need to purchase cyber risk insurance to protect the reams of personal data they collect from their clients.