All Rights Reserved
Uber Hacked? Data on 57 million Uber riders and drivers compromised
The covered hacking in 2016 of data on 57 million Uber riders and drivers, unveiled on Tuesday, is among the biggest ever thefts of online users’ personal information.
Uber is reeling from a new controversy over revelations that the company tried to cover up a massive breach last year in which hackers pilfered information from 57 million of its customers.
As a result of the hack, the ride-share company now faces probes from multiple state attorneys general, as well as international regulators in Europe.
The concerns are not only limited to the breach itself; the strongest ire is coming from regulators over how Uber handled the cyberattack. The ride-sharing firm initially kept the massive breach a secret, which new CEO Dara Khosrowshahi acknowledges Uber should not have done.
More alarmingly, Uber paid the hackers $100,000 in exchange for destroying the files and, according to The New York Times, made the hackers sign nondisclosure agreements to cover up the cyberattack.
The development is the latest in a series of scandals for the company that earlier this year forced the resignation of CEO Travis Kalanick.
His successor has been left to clean up the mess.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi wrote in a blog post Tuesday disclosing the breach.
In his statement, Khosrowshahi said the company had “obtained assurances that the downloaded data had been destroyed” and improved its security, but that the company’s “failure to notify affected individuals or regulators” had prompted him to take several steps, including the departure of two of the employees responsible for the company’s 2016 response.
Uber’s chief security officer, Joe Sullivan, was one of the two employees who left the company, Bloomberg reported.
The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
- Firm paid hackers $100,000 to delete data and keep breach quiet
- Chief security officer Joe Sullivan fired for concealing October 2016 breach
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The episode took place late last year when hackers gained access to names, email addresses and phone numbers of 57 million Uber users worldwide, as well as the driver’s license numbers of roughly 600,000 U.S. drivers.
Kalanick, who at the time was CEO, learned of the breach a month after it occurred. The company is said to have fired two executives who were involved in the response to the breach and its subsequent cover-up, including chief security officer Joe Sullivan.
Legal experts say the company is likely to be faulted for running afoul of breach notification laws in the states that have them where customer data was compromised.
Attorneys general in at least three states, including Massachusetts and New York, have already launched investigations into the hack.
Steve Rubin, head of the cybersecurity legal practice at Moritt Hock & Hamroff, told The Hill that the incident is likely to trigger an investigation by the Federal Trade Commission (FTC), which has already faulted Uber for making deceptive claims about data privacy.
“This wasn’t simply a data breach,” Rubin said. “They went further and they tried to pay off a hacker in order to avoid their obligation to report to attorneys generals.”
“Companies get punished for that,” Rubin said.
The FTC hasn’t commented on whether or not it will investigate the matter, but an agency spokesperson said in an emailed statement that it is “closely evaluating the serious issues raised.”
The development has already triggered blowback on Capitol Hill, with a key Democrat jockeying for an investigation.
“The security breach shows a sloppy approach by the company to protecting consumer data, and demonstrates a severe breach of trust with the public, its own employees and regulators who it failed to notify in a timely manner,” said Rep. Frank Pallone, Jr. (D-N.J.), ranking member of the House Commerce Committee.
“If Uber did indeed secretly pay-off the hackers to keep the breach quiet, then a possible cover up of the incident is problematic and must be investigated,” he added in his statement.
The developments have some of the hallmarks of the Equifax data breach, which the credit reporting firm said in September impacted 145 million Americans earlier this year.
Equifax executives have been hauled before congressional committees in Washington to explain why it took several weeks for the firm to notify consumers of the incident.
For Uber, the hack renews the scandal surrounding the company that had temporarily died down after Kalanick was pushed out as CEO.
Uber became embroiled in controversy earlier this year after the company faced sexual harassment allegations, prompting an investigation by former Attorney General Eric Holder into the company’s culture.
Kalanick faced other scandals as well, including the emergence of a tape that showed him engaging in a heated exchange with a driver about fare declines, and revelations that Uber had been using a software tool called Greyball to evade state and local regulators investigating the ride-sharing firm.
After Khosrowshahi took over for Kalanick in August, the former Expedia CEO appeared poised to lead Uber in a new, scandal-free direction. With news of the breach, however, it appears Khosrowshahi will be stuck picking up the pieces left by his predecessor.