It turns out ousted Uber CEO Travis Kalanick left behind yet another hidden scandal: the company paid a $100,000 payout to hackers after a data breach that left the data of 57 million customers and drivers exposed.
The San Francisco-based startup confirmed a Bloomberg story on Tuesday that hackers stole the personal data of millions of users, including the names and driver’s license numbers of 600,000 of its drivers, in October 2016. Uber paid the hackers in an effort to conceal the breach and said it subsequently identified the individuals involved and “obtained assurances” that the downloaded data had been destroyed.
Uber’s chief security officer, Joe Sullivan, and a lawyer who reported to him, Craig Clark, have been ousted for their roles in the breach and the cover-up.
“None of this should have happened, and I will not make excuses for it,” Uber CEO Dara Khosrowshahi said in a post discussing the incident.
Tuesday’s data breach revelations are yet another setback for Uber, a private company that is valued at about $70 billion. Kalanick, the company’s co-founder, was ousted as CEO in June after a string of scandals and controversies, including allegations of sexual harassment and technology theft. Kalanick was CEO when the 2016 breach and payout occurred.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi, who took over as chief executive at Uber in August, said in the breach post.
He said Uber has hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center, “to help me think through how best to guide and structure our security teams and processes going forward.
Uber is in trouble with the law, again
New York Attorney General Eric Schneiderman on Tuesday launched an investigation into the incident. This isn’t his first run-in with the ride-hailing company — just last year his office reached a settlement with Uber over its collection and use of riders’ personal information and its delayed disclosure of a 2014 data breach.
In August of this year Uber reached a settlement with the Federal Trade Commission over allegations it made deceptive privacy and data security claims.
Uber has also come under fire over allegations of sexual harassment and a misogyny, culminating in a report from former Attorney General Eric Holder on its workplace culture. It has been subject to federal scrutiny for its use of Greyball, a software designed to mislead local regulators in order to prevent them from enforcing taxi regulations.
Uber has seen an exodus of top executives and talent in recent months and has faced numerous battles with local taxi regulators since its inception.
Should we all just assume our data is lost?
As much as this is a story about Uber’s ongoing problems, Uber is hardly the first company to lose customer data to hackers or to try to keep such an incident under wraps.
Credit reporting firm Equifax in September revealed that 143 million of its US-based users had their personal information compromised from mid-May through July 2017, including Social Security numbers, birthdates, addresses, and other data. Equifax waited weeks before disclosing the data breach to consumers, during which time three executives sold nearly $2 million worth of the company’s shares.
A 2013 Yahoo attack affected three billion accounts, and a 2014 breach affected 500 million accounts. Retail giant target in May agreed to pay $18.5 million as part of a settlement over a 2013 data breach that left the information of 40 million credit and debit cards exposed.
As the Wall Street Journal notes, the Securities and Exchange Commission requires publicly traded companies to disclose major data breaches. The SEC launched a probe into Yahoo, which is now part of Verizon Communications, and whether it disclosed its 2014 breach in a timely manner.
And even the SEC has faced security issues of its own. In September, the agency revealed its EDGAR system, a platform that pools financial reports on publicly traded companies, has been breached in 2016. SEC Chair Jay Clayton, who was appointed by President Donald Trump, was only made aware of the incident in August.
Because Uber is privately held, it is unlikely to be the target of an SEC investigation, David Chase, a former SEC enforcement attorney, told WSJ. And the Uber incident and others expose holes in the United States’ data and consumer protection legal framework, WSJ explains:
With no federal data privacy law, Uber’s obligation to report the breach falls under a patchwork of data-breach laws in 48 states that come with differing and often complex notification requirements. The laws generally apply if a victim of a hack lives in that state.
In other words, it’s unclear what, if anything, consumers can do.