In November, Uber disclosed a security breach that occurred in October 2016, when hackers stole from a third-party server data about 57 million Uber drivers and riders. The company also revealed that they took affirmative steps to keep the data breach secret. The New York Attorney General’s office is opening an investigation of the incident, and members of Congress have sent letters to Uber demanding additional details about the breach.

This case highlights the importance of having in place appropriate data security, and a plan to respond to security breaches –  to any company.

Data security is critical to a company’s brand, reputation and market trust. A company’s ability to keep information about its customers secure is critical to building trust. As public awareness of the risks raised by the loss or misuse of their data grows, assurances that data is properly protected becomes more important to a company’s brand and reputation. Uber’s ill-advised efforts to cover up the breach indicate how damaging such an event can be for an organization, and how critical it is to reduce the risk of it happening.

Companies need to be sure that vendors that store and protect data do so with proper security measures in place securely. The hackers in the Uber case obtained the driver and user data in question from a third-party server. New approaches to data protection, including the General Data Protection Regulation (GDPR), place responsibility for securing data on individuals no matter where or by whom it is processed and stored. Companies must know their vendors and conduct the due diligence necessary to be sure they’ve taken the measures necessary to secure the data shared with them for processing.

Companies need to develop a protocol for handling breaches should they occur. Even the most responsible and careful company can experience a hack or breach. All companies must establish a plan to respond to a breach that addresses reporting requirements established in law, forensics and steps to address the system weakness.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact