Unraveling Uber’s Breach and their <Culture> <PR> <Security> <Leadership> Nightmare
Below is a link to Data’s post to Uber’s business customers about their cyber data breach. While it is nice to see leadership step in and run with the mea culpa, airing out the faults and misgivings of prior leadership is neither heroic nor helpful. The early grade for Uber’s response leaves out a real opportunity for them to tackle their already beaten-up image and culture problem on a few fronts.
Following are several snippets of Uber’s response (full response here), and how we advise folks to both behave and telegraph their behavior to their stakeholders:
1. The Firing Squad
“Effective today, two of the individuals who led the response to this incident are no longer with the company.”
“The buck stops here” – and by “here”, Uber means the two security staff who were fired as a result of this. Never mind that this was at the same time as their investor pitches and response to 2014 breach inquiries, neither of which would have been the doing of those two security folks.
We train our board and executive customers that the “buck stops here” argument holds little water with your stakeholders. Instead, focus on what problem you just created for those stakeholders (customers, shareholders, employees, vendors, partners, regulators, industry peers, etc) and how you are going to solve those problems. Sometimes the best action is to fall on the sword (or have someone else do it), but often it’s really nothing more than PR cop-out architected by a crisis response firm advising and equally helpless board. And most of the time if you’re firing your chief security officer, you’ve just made the problem much worse for those stakeholders, so spare us the good guy act…
2. “When Bad Things Happen, We Do Good Things”
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently…”
“When we noticed the incident we…” Again, this is hallmark generic crisis comms spam that all essentially says one of two things: one, we are not sophisticated enough in our SECURITY posture to understand the true impact of what just happened, or two, we are not sophisticated enough in our RESPONSE posture to truly mitigate the things that matter to you, dear stakeholder.
A better approach, one that Uber started to take but fell short on, is to categorically call out and recognize the detriment they caused and the disadvantage that puts those affected in, then how they will reverse that detriment. The difference between “we lost your driver’s license numbers” and “we know you’re apprehensive about exposure of information in your personal driver’s record” is a mile wide AND a mile deep in tone and action.
3. The Grandma Test
“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions”
Like the old saying goes, integrity is what you do to make your grandma proud when no one else is watching. In this case the response is mixed- Dara’s reaction seems one of genuine shock and immediate attention as soon as he learned of this incident. However, that doesn’t represent the Uber that in fact fell prey to this security incident and behaved as it did towards it while breaching customer trust. In the private confines of Uber’s HQ and in the year since this incident, the early indication is that the Uber of yesteryear has truly failed this test of personal and organization integrity. We’re always careful to reserve judgement in early goings with a half story based on public info, but this doesn’t bode well so far.
As 21st century leaders it is all but guaranteed that we will face a cyber security breach in our tenures. The way we, and our companies, will be judged has every bit as much to do with how we respond to these incidents as the magnitude of the breach does. Unfortunately today’s world is sparsely populated with good exemplars of how to act in a time of cyber crisis.
I’m happy to share more of our learning and teachings. It comes from our experience delivering our Cyber Resolve board and executive cyber program, which works with mostly large clients who have gone through similar experiences to Uber. Please don’t hesitate to reach out. Our hope is that we can help change these stories and their impact for the better a little bit at a time.