Last week, Uber revealed that it had\u00a0suffered a data breach\u00a0in 2016 that exposed the personal data of 57 million drivers and riders. This was more than\u00a0just another breach, as scandal-laden Uber chose not to disclose the breach to victims and regulators, instead choosing to pay the hackers $100,000 to delete the data and hide the fact that the breach ever occurred.\nSome of the fallout follows a familiar script: public outcry, corporate apologies, and firing anyone that can be held accountable (in this case, the CSO and one of his deputies). The\u00a0inevitable lawsuits\u00a0and\u00a0Congressional outrage\u00a0are nothing new, but the Uber narrative forges into new territory due to the fact that they tried to cover up the breach instead of immediately disclosing it. Equifax took a lot of heat for dragging their feet\u00a0nearly six weeks after their breach; imagine if they had intentionally swept it under the rug for over a year.\nThe 2017 Ponemon Institute\u00a0Cost of a Data Breach\u00a0study puts the average cost of a breach in the U.S. at $7.35 million. The study explicitly excludes \u201ccatastrophic or mega data breaches,\u201d so it\u2019s impractical to apply the $141 average per record to a breach such as Uber\u2019s. But Equifax has already recorded a one-time charge of\u00a0$87.5 million\u00a0due to the event, lost\u00a0$4 billion in market value\u00a0in the days following the aftermath, seen its third-quarter income fall 27%, and been hit with more than 240 class-action lawsuits and 50 investigations. While the Uber incident did not include social security or credit card numbers, it certainly doesn\u2019t look good for them.\nAnd it isn\u2019t getting any easier. With the EU\u2019s\u00a0General Data Protection Regulation\u00a0(GDPR) going into effect in May of 2018, companies dealing with EU citizen data are going to be subject to a slew of new regulations and fines\u200a\u2014\u200aup to 4%of worldwide income. Notification is expected to\u00a0occur within 72 hours, with stiffer penalties for those that fail to comply. If Uber was subject to GDPR, their year-long cover up would certainly them push towards the $320 million maximum that would be expected from an\u00a0estimated\u00a0$8 billion annual run rate. And Congress is taking note,\u00a0reviving legislation\u00a0to punish those that fail to disclose breaches in a timely manner, including up to five years of jail time for cases of intentional non-disclosure.\nSo, what is a company to do? At Uber, the cause of the breach was described by Bloomberg like this:\nTwo attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information.\nStoring privileged credentials in your code, and hosting that code on GitHub, is a rookie mistake\u200a\u2014\u200aa byproduct of a lax security culture and process. While beefing up your security practices is a no-brainer response, mistakes are always going to happen.\nKeeping mistakes from becoming catastrophes requires changing your data security perspective.\nData is at the center of the modern digital enterprise, driving everything from new user experiences to new products to new business insights. For most companies, it\u2019s the greatest source of risk\u200a\u2014\u200acontaining personal information and confidential intellectual property. But most security processes and organizations evolved in an application-centric age, and understanding how data and risk propagates through those processes is a challenge.\nWhy did that Uber application need access to production data? Why were those access credentials not restricted to only the data required for the application? Who within Uber understood that this application had a dependency on that data, and who was accountable for managing security access?\nWe don\u2019t know the answers to these questions, but\u00a0you\u00a0should for all critical data in your enterprise. By starting with the data first, you can map out where dependencies exist and how risk propagates across applications, non-production environments, and analytics pipelines. You can then design your culture, processes, and controls around the data first, instead of trying to retrofit the processes you have today.\nThe next Uber is just around the corner. The total cost of breaches\u200a\u2014\u200aincluding remediation, penalties, and lost business\u200a\u2014\u200ais only going up. And traditional security approaches simply\u00a0aren\u2019t cutting it anymore. Solving this problem requires inverting your security perspective and putting data at the center. Waiting is not an option.\nRead more about\u00a0Delphix.