Data Security is Expensive, Negligence is Cheap

uber hack

Screw you Uber. You assholes raised 15 billion dollars, invest in some decent security already.

Apparently Uber got “hacked” in early 2014, and it took them over two years to figure out what all got stolen. As a result, they’re only sending this letter to me now.

I apply the term “hack” quite loosely: Uber employees left a login key in a public file on GitHub, and someone found the key and used it to access Uber’s database. “Hack” is a blame-deflecting way of saying Our engineers are morons and someone took advantage of that. If I leave my iPhone on the sidewalk and it gets swiped, is that a “hack” too?

In response to this data breach, the NY Attorney General already fined Uber $20,000. Okay that’s not a fine, that’s a line item in the petty cash daybook. Eric Schneiderman just set a price cap on negligence.

Corporations have little incentive to invest in data security. Really, there are 20 million companies in this country. What’s the likelihood of any single one being targeted for attack? On a risk-adjusted basis, it makes sense to neglect security concerns. When weighing the cost-benefits of hiring a team of CISM-certified sysadmins against the small chance of a $20,000 fine, it’s plain to see why Sony Pictures chose to raise a middle finger to infosec and store sensitive information in a cleartext file directory labeled “Password”.

Can you blame them? Corporations have a fiduciary duty to maximize value for their shareholders. Nowhere does there exist a duty to protect the personal data of their customers. Consumer lawsuits based on data breaches rarely succeed, unless the consumer can prove that they were quantifiably harmed.

Attitudes are different in Europe, where protection of personal data is a basic human right [1]. Companies that don’t adhere to security obligations may not operate on the continent. Over there, Facebook is not allowed to track you all over the internet, and search engines like Google have to comply with user requests to remove undesirable search results.

In the US, we prioritize liberty, or the right to be left alone. Companies like Uber and Google should be allowed to figure out their own privacy policies without government meddling. In theory, consumers will vote with their dollars. In practice, consumers have no idea how careless their service providers really are.


US companies don’t care much when customers’ personal information gets stolen, but they care a lot when intellectual property is stolen. Chinese hackers are constantly testing US corporate resistance to IP theft [2]. The organizations with the best security practices will be ones with valuable IP, like Google, IBM, and DuPont. Of course, just because Google takes steps to protect your information from unauthorized access doesn’t mean they won’t abuse that data themselves.

I’m thinking I should delete all my accounts and move to Europe, or maybe a planet in Urbit.

1. James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty. Yale Law Journal, 113, April 2004.
2. Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age. 2016.

Leave a Reply