Uber again leaks important data. This data breach isn’t Uber’s fault. When attackers stole Uber driver data earlier this year, New Jersey law firm Genova Burns was keeping social security numbers, taxpayer identification, and other PII.
Why did lawyers need PII? Unknown details. Uber’s legal representation required the data. The only published information is the dates attackers bypassed the firm’s protection, the sort of information obtained, and the short-term security patch.
This third-party risk management case study will be entertaining. This cybersecurity event can teach companies three key things.
Partner Due Diligence
Partner security must be checked. The legal company “secured the environment by changing all system passwords” in its acknowledgment letter to affected drivers. Red flag. That comment suggests the firm is not adopting MFA or other password best practices. It also raises doubts about the firm’s data retention and disposal policies.
Was the legal firm secure? Probably. Uber’s security evaluation is limited to answers and audits. Uber undoubtedly did due diligence and got into a bad scenario. Legal firms must strengthen their cybersecurity because criminal actors target them.
Determining Data Exfiltration Liability
Liability matters. The law firm is liable for breach damages if they needed to access sensitive data. Uber could be negligent if the PII wasn’t necessary for their company.
Lawsuits will follow this mass social security number hack. Uber and Genova Burns LLC decide who pays damages. However, neither corporation will pay for everything themselves. Cyber liability insurance covers such situations.
Data Leak Brand Damage
Finally, brand reputation may persist. This breach will hurt the law firm’s ability to attract big businesses. No headline read, “Genova Burns Loses Sensitive Data.” Always the household name. Uber knows reputational impact from previous data breaches. They distrust coworkers.
Third-party risk monitoring is essential. Review the data accessible, its security, and whether it’s needed for daily operations. The parties should also establish breach culpability. Third-party breaches should also be addressed with a plan.