How Uber's hack threatens trust in mobile payments

Uber’s announcement that it had been hacked in 2016 — resulting in the exposure of 57 million accounts — was shocking. Not because of the breach itself, but in the blunder its management made by paying a $100,000 ransom to the attackers and attempting to conceal the breach.

The breach itself did not include payment information, but does that really matter from the consumer's perspective? Accounts can be reissued; trust is not so easily salvaged.

David Paul Morris/Bloomberg

Under the hood

One of the unique attributes of Uber from the outset has been that payment for the ride occurs instantaneously and automatically at the end of a trip. This characteristic of the payment moving to the background has led to the invention of the term the “Uber-ization of payments” — meaning that the transaction is invisible.

But this is a one-way window. Everything that is invisible to the rider is collected and scrutinized by Uber or Lyft.

It has been no secret that Uber and Lyft have been attempting to build direct connections of their own between passengers and their payments. With this breach eroding trust in Uber’s brand, customers may seek third-party payment options within the Uber app that have a better reputation for security and integrity. This improves security for the consumer by tokenizing card data before it reaches Uber or Lyft, but the ride-sharing companies don't want this because it keeps them at arm's length.

“We don’t have a direct relationship at that point with that customer who’s signing on using Apple Pay,” Ashwin Raj, Lyft’s vice president of payments, said at this year's PayThink conference. “All we know is a token, at that point. That is less preferable.”

Increased scrutiny of Uber’s security and unethical responses may also cause something of a regulatory backlash. There has already been a warning shot from the U.K. that there will be implications.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the U.K. Information Commissioner’s Office, said in a statement. Current British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.

A long road ahead

It is entirely possible that in the current climate of data breach fatigue that consumers will just continue to use Uber as normal — memories are short and there is almost certainly another data breach around the corner to distract from the current one. However, Uber does not hold a monopoly on ride-sharing services, and the company has already come under fire for earlier practices such as tracking passenger location after the ride is over and not allowing in-app tipping.

“I suspect that Uber customers won’t be switching to more secure forms of payment as much as they will be using Lyft instead,” said Al Pascual, Javelin’s research director. “Although the effects of a breach on customer choice aren’t long-lasting, they do avoid businesses where they have had information breached in a significant way for at least the first year after being notified. This isn’t anything close to a deathblow, to be certain, but there will be millions of customers over the coming weeks deleting the Uber app from their phones in response to the breach — the way it was handled will only incent more to do the same.”