Uber waited more than a year to disclose the massive data breach—putting it in hot water yet again, even as it still battles sexual harassment complaints, the London ban and U.S. investigations into bribery and discriminatory pricing.
Uber is in the spotlight yet again: this time, because of a 2016 data breach the rideshare company allegedly hid until just a few weeks ago. Here’s the latest on Uber’s newest scandal, including what it means for the 57 million global users whose data found its way into the hands of hackers.
What Happened With The Uber Data Breach?
Uber says that in October 2016, data was stolen from 57 million Uber users. The data was stolen from a third-party cloud-based service that was not encrypted. Hackers allegedly did not reach Uber’s internal storage.
What didn’t happen? Timely reporting of the incident.
Uber waited more than a year to disclose the massive data breach—putting it in hot water yet again, even as it still battles sexual harassment complaints, the London ban and U.S. investigations into bribery and discriminatory pricing. Its newly named CEO, Dara Khosrowshahi, was still leading Expedia when the issue occurred, but was reportedly briefed on the breach before it went public.
What Information Was Exposed?
In the report, Uber claims that the names, email addresses, and phone numbers of 57 million customers and drivers were exposed, along with the driver’s license numbers of more than 600,000 drivers. Uber also claims that no credit card or bank account information, trip history information or birth dates of users were exposed. According to the company, none of the information was used for identity theft or fraud.
How Did Uber Respond To The Hack?
When Uber discovered the breach, senior executives sought out the hackers responsible and paid a $100,000 ransom. The ransom was paid on the terms that the data would be destroyed, and the hackers had to sign nondisclosure agreements. Uber has assured users that the data in question has been destroyed, and no individual needs to take action to prevent fraud or misuse of the data. News of the hack was not released until over a year later, when Uber wrote about the breach in a blog post and Bloomberg reported about the ransom and deal with the hackers.
At the time of the breach, Travis Kalanick was serving as Uber’s Chief Executive Officer, and Joe Sullivan was serving as Chief Security Officer. Sullivan, as well as a senior lawyer who reported to Sullivan, were fired after news of the breach broke. Kalanick has since been replaced as CEO but remains on Uber’s board. Uber is also offering all drivers free credit monitoring and identity theft protection in response to the breach.
This method of handling a data breach isn’t just unusual; many regulatory agencies have said that it’s downright unethical. Uber was under legal obligations to disclose any breaches to drivers and regulatory agencies, but kept quiet. Now, they’re the talk of senators, regulatory agencies and lawmakers who are investigating the company’s response to the breach.
Who Is Investigating Uber?
On November 27, Senator Mark Warner issued a letter to now-CEO Khosrowshahi, pressing questions about the safety of the data and how Uber handled the breach. A key question raised: Why didn’t Uber contact legal authorities after the breach? After all, they had enough information to seek out the hackers themselves. Uber’s behavior could be a direct violation of the United States’ Computer Fraud and Abuse Act.
In addition to Warner’s questions, Uber has to respond to class-action lawsuits in California and Oregon that were filed within hours of the initial reports of the attacks. Within a week, state attorney generals in Massachusetts, New York, Illinois, Connecticut and Missouri had opened up investigations against Uber. The Federal Trade Commission has also opened up an investigation. Similar regulatory bodies in the United Kingdom, Mexico, and Italy have also announced plans to look into the breach.
What Happens Next?
At the time this article was written, Japanese tech company SoftBank is expected to make a tender offer for Uber shares at a $48 billion valuation. That’s a 30-percent drop in the company’s valuation, and a potential red flag considering Uber is planning an IPO for 2019.
The data breach, and consequences for Uber, could signal big changes in how data is regulated and stored—and new rules for how global tech companies handle security matters. 2017 has not been a quiet year for Uber, but this data breach could be the company’s biggest hurdle yet.