Lawmakers in the U.S. Congress pilloried Uber on Tuesday for initially failing to inform regulators and customers about a 2016 security breach that affected about 57 million drivers and riders.
At a hearing before the Senate Commerce Committee — which sought to explore “bug bounty” programs that reward hackers for finding holes — Democrats and Republicans alike needled the ride-hailing company for withholding information even as it faced a federal investigation for its privacy and security practices.
“There ought to be no question here that Uber’s payment of this blackmail — without notifying consumers who were gravely at risk — was morally wrong and legally reprehensible,” charged Democratic Sen. Richard Blumenthal. He said Uber’s actions had “violated not only the law but the norm of what should be expected.”
At issue with Uber is a breach brought to its attention by hackers in 2016. At the time, they managed to access Uber’s backup files stored on a crucial Amazon server using login credentials found in a code repository on Github.
As a result, these individuals were able to access data about roughly 57 million users worldwide, 25 million of whom live in the United States; about four million of them were Uber drivers. In almost all cases, hackers could access names, email addresses and phone numbers. But in the case of 600,000 drivers, the hackers could access driver’s license numbers.
At the time, Uber paid $100,000 to obtain the data and secure its deletion. But it didn’t tell drivers, riders or state and federal regulators about the breach, even though almost every state in the country requires companies to inform customers about major cyber intrusions. Adding to the headaches, Uber already was under federal investigation for another major privacy and security mishap.
Upon revealing details of the breach at the end of December 2017 — an announcement made upon the arrival of new CEO Dara Khosrowshahi — Uber apologized. In the months since then, a torrent of state and federal regulators have opened new investigations. And the company’s chief information security officer, John Flynn, reiterated the company’s commitment to improve security practices to lawmakers at Tuesday’s hearing.
In testimony, Flynn said it was “not done consistent with the way our bug bounty program operates.” That program, he revealed, has paid a total of $1.3 million in response to more than 800 security bugs. Otherwise, Flynn stressed it was “wrong to not disclose the breach earlier.”
Lawmakers, however, still came to the congressional hearing immensely frustrated with Uber’s conduct.
“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Republican Sen. Jerry Moran, who convened the hearing.
“At the same time Uber was negotiating with its blackmailers, it was speaking with the Federal Trade Commission,” added Blumenthal, who described Uber’s initial decision to stay silent as “almost a form of obstruction of justice.”
Democratic Sen. Bill Nelson, the top Democrat on the chamber’s Commerce Committee, expressed similar dissatisfaction. In doing so, he called on Congress to pass a new law that would require companies to improve their security practices and disclose breaches — something that lawmakers, even in the face of major cyber attacks, have long failed to do.
And Nelson blasted his GOP colleagues, stressing any legislation can’t merely “cater to corporate interest.”
“Better for Congress to pass no bill than to pass a bill that provides less protections to consumers compared to the status quo,” Nelson said.
This article originally appeared on Recode.net.