From the discussion related to Uber's ex-CISO Joe Sullivan, it seems like this was to cover an embarrassing event related to a compromise. Most consumers don't care that much about their security or their concern is only "temporary" (they make a small change for a week or two, then are back to the same activities). Even details leaked wouldn't have been as bad as the ex-CISO imagined. The security community would have reacted negatively, but this community is very different than the average person. Time and time again, we see the average person continuing to do business with companies that disrespect their security, over track their information, and experience security breaches. The average person prioritizes "convenience" over everything, even if they later regret this.
From a user view, companies that want your data will always be big targets. You can reduce some headaches by severing ties fast. The more they ask, the bigger the pot for attackers. In the below example, we look at comparing a taxi service to a ride-sharing service like Uber (and this applies to other ride sharing services as well):
- You can pay a taxi in physical cash. Physical cash cannot be hacked. All digital money can be hacked.
- Digital money comes with linkability, whereas physical cash does not have this bug (and this is a bug, not a feature).
- Taxis seldom store your information and even if they do, it's limited. Uber stores your information while tying it to other linkable information about you.
- Uber tells you when your ride is about to arrive. This sounds super convenient, yet it is also trackable and if compromised, may reveal key details about you and your destination. Taxis don't do this. It would be very difficult for some attackers to compromise a taxi company (not impossible), but even if so, they may not obtain key details.
- You can order a taxi without your cell phone. Uber is tied to your cell phone. Cell phones are incredibly dangerous because they contain a wealth of information that attackers love (why we see so many sim-swap attacks).
- Taxis are more expensive than Uber. Ironically, this creates a barrier to entry in that most people are unwilling to take a taxi because of a higher cost, but prefer Uber or other ride sharing services. This means that there's a bigger "pot" to attack Uber over taxis, if you think about who hacks and why (incentives matter!). Since few people take taxis, why hack them at all - what is there to gain?
From the company view, being upfront and transparent is significantly less costly than hiding what happened or attempting to bribe attackers. While a company may lose respect in the eyes of a few consumers (if it's bad enough), most won't care. If better alternatives exist, consumers may switch, but if those alternatives have also faced breaches, consumers may not. Additionally, services like taxis which may practice stronger security will deter consumers because they cost more - most consumers don't consider a more expensive service as more secure. Security is an afterthought.
Expect security challenges to grow. From MFA attacks to social engineering to behavioral attacks, I consult in some areas of security for firms needing help in specific areas. I will only do this for firms who already have an existing internal security team and are looking at additional consultants to test their security model in these domains. You can contact for assistance in these security domains. Before you reach out, you must watch Who Hacks and Why and have an assessment from this video on who your major threats are. As a note, I do not cover all domains in security, so you'll want to ensure that the areas of security I list are ones where you need assistance.