Uber is going to have to explain to Congress why it hid the 2016 data breach that affected 57 million users

Photo by Michael Cohen/Getty Images for The New York Times
Uncovering and explaining how our digital world is changing — and changing us.

Uber is facing fresh questions from the U.S. Congress after it initially suppressed details about a data breach that affected more than 57 million of its drivers and riders in 2016.

In a series of letters sent to the ride-hailing company on Monday, Democrats and Republicans alike pressed Uber to detail why it hadn’t informed customers sooner, whether it has spoken with law enforcement agencies about the matter and what exactly it’s doing to help drivers whose sensitive data was stolen.

To all of the lawmakers that wrote Uber, though, the incident also amounted to just the latest misstep by a tech giant that’s repeatedly faced a litany of government probes for its controversial business practices.

It’s not just that the company “concealed the breach without notifying affected drivers and consumers,” began a group of four Republicans, led by Sen. John Thune, in their note to the company Monday. It’s that “prior privacy concerns at Uber” make it “a serious incident that merits further scrutiny.”

Asked about the letter, an Uber spokesman said the company has “been in contact with members of Congress and the relevant committees to inform them of the situation,” adding: “We are working to respond to their inquiries and address their concerns."

The barrage of criticism Monday came days after Uber revealed that the company — at the time under the leadership of Travis Kalanick — fell victim to a major security breach in 2016 and paid the hackers a $100,000 ransom to transfer the stolen data back. The information taken included names, phone numbers, email addresses, and in the case of 600,000 of its drivers, their license data, too.

In sharing those findings last week — perhaps hoping to do so under the cover of the Thanksgiving holiday — new Uber CEO Dara Khosrowshahi said that the company’s chief security officer had been fired. Uber also added new security aides to help it further investigate the breach.

Still, Khosrowshahi’s apology hasn’t satisfied federal regulators, including Thune and three other Senate Republicans, who lead key committees that oversee tech, telecom, finance and data security.

In their letter, sent Monday, the lawmakers demanded that Uber detail a full timeline as to what it discovered about the breach, as well as which state and federal law enforcement or regulatory agencies the company informed about the incident. They also asked Uber to assure that riders’ and drivers’ other critical, sensitive information had not been stolen.

Among lawmakers’ additional concerns: Federal officials use Uber, so Senate Republicans are trying to “identify and mitigate potential consumer harm and identity-theft-related fraud against federal programs,” they wrote.

Uber’s replies could carry serious political and legal repercussions. Forty-eight states have laws on their books that require companies to inform consumers promptly whenever their information has been stolen — and in many cases, the theft of Uber drivers’ license numbers would have required the ride-hailing company to make the breach public. To that end, at least five states’ attorneys general are investigating Uber on related grounds, Recode first reported last week.

Meanwhile, the four Republicans asked Uber if it had disclosed details of the breach to the Federal Trade Commission. The agency had been investigating Uber at the time of the incident in 2016 for another, unrelated privacy and security mishap. If Uber did not inform the FTC, it could face additional penalties.

Echoing some of those same concerns was Democratic Sen. Mark Warner, who sent his own letter to Uber on Monday. In asking for more information about why it hadn’t disclosed the breach sooner, he also pressed Uber to explain why it didn’t have a more secure system to handle payments.

Warner further demanded that Uber share how it managed to find the hackers in the first place. While he acknowledged that the company could have discovered the criminals using forensics, Warner said that Uber’s “past pattern of conduct” still causes him to wonder if the ride-hailing app essentially tried to “hack back” its hackers. That’s illegal under federal law, Warner reminded.

Once Uber found the hackers, though, it paid them a $100,000 ransom and required them to sign a nondisclosure agreement. To Warner, that “thwarts law enforcement’s ability to bring criminal hackers to justice.”


This article originally appeared on Recode.net.

Back to top ↑