Data breaches: Why is the tech industry so scared to acknowledge them?

• Companies are tempted to minimize issues, which arise should data breaches get exposed. This includes finding creative workarounds to incidents such as paying off the hackers to obscure an incident’s impact.

In 2017, the embattled ride-hailing giant Uber Technologies Inc unveiled a massive breach whereby hackers stole the personal data of 57 million of its customers and drivers. What was more appalling was the fact that the company concealed the incident for more than a year, paying a ransom of US$100,000 to the attackers to avoid making headlines. But it’s not a rare case — in fact, hiding data breaches, especially among tech companies, has been going on for a while and remains problematic.

Three years after the uncovering of the Uber hack, the US Department of Justice filed federal charges against Uber’s former Chief Security Officer (CSO) for allegedly bribing hackers to stay silent about the attack. The US Attorney David Anderson at that point highlighted that “Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

Even with stern warnings and heavy consequences, companies are still concealing cyberattacks, mainly data breaches. In the case of Uber, failing to disclose attacks to the public potentially violates breach disclosure laws in many of the states where its users reside—on top of keeping the data theft secret from the FTC.

So why keep data breaches under wraps?

Uber’s cover-up sadly mirrors the approach utilized by many companies seeking to avoid their responsibilities under various data breach laws. Of course, especially for company leaders, there can be a pressure to not report issues upwards. Then there are concerns that the lack of clarity of the regulatory and legal issues of specific decisions may mean issues don’t sometimes get the attention they deserve. 

However, as much as tech giants like Facebook, Amazon and others are increasing  their  cybersecurity, those companies can still never be completely safe because of their sheer size. The issue then lies in their behavior in reporting breaches because doing so might impact their legal defense in other issues as well.

When Europe’s GDPR (General Data Protection Regulation) legislation came into effect in May 2018, it has, since then, led to landmark fines such as that of British Airways —close to US$230 million— while Marriott was handed a US$123 million fine. To put these into perspective, under the GDPR, failure to report a breach to authorities can cost a company a significant fine up to US$11 million or 2% of the company’s global turnover depending on which is a higher sum. 

Due to that, European firms have been covering data breaches and possibly avoiding multi-dollar fines under the guise of non-disclosure agreements (NDAs), according to cybersecurity firms speaking to Business Insider.  Faced by fallout to their value and reputation— and, of course, fines like those above— once a breach goes public, not all firms are coming forward to disclose breaches that have occurred, despite the requirement that organizations must report personal data breaches to respective supervisory authorities within 72 hours upon discovery. 

For context, NDAs keep cybersecurity firms and companies using their services and consultation confidential, particularly given the sensitive nature of the information at risk. Moreover, it is not a requirement for cybersecurity firms to report any incidents of data breaches on behalf of their clients. This has led to several allegedly high-profile companies exploiting the use of NDAs in attempts to sweep security breaches under the rug, experts reckon.