This week, Uber was discovered paying off hackers who breached the personal data of over 50 million users worldwide and nearly 7 million drivers in the U.S (including sensitive data from over 600k American drivers). The discovery of the breach resulted in the removal of two employees responsible for the cover-up including the company’s Chief Security Officer, Joe Sullivan and Craig Clark, the company Legal Director, Security & Law Enforcement.
This breach originally took place late last year and the company paid $100,000 for the two hackers to keep it on hush. Shortly after this breach was disclosed, Uber CEO, Dara Khosrowshahi, responded in an email stating,
None of this should have happened, and I will not make excuses for it. We are changing the way we do business.
Since being assigned as the CEO in September, Khosrowshahi has had his hands full. From allegations of sexual harassment to nearly identical issues with previous data breaches, it seems as if it’s one thing after another for the ridesourcing pioneer. Yesterday, Khosrowshahi wrote a blog in Uber’s newsroom saying that as CEO, he has an obligation to be transparent about these issues and shared how he conducted the investigation along with his plans for the future.
Although Khosrowshahi said that no trip history, credit card/banking information, social security numbers or birth dates were breached, the hackers were able to access other data of significance:
The names and driver’s license numbers of around 600,000 drivers in the United States.
Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.
Upon discovery of these details, the company secured the vulnerability and restricted access to this information. They received “assurances” from the two hackers that the data was deleted. However, not everyone gave Uber the benefit of the doubt. CTO of Menlo Security, Kowsik Guruswamy, felt the company was mistaken for trusting the word of cyber terrorists.
What guarantee or promise did they have that they deleted this data and didn’t make a backup? It sounds to me like the $100,000 went, not to protect the consumers, but to keep it from getting out in the news.
Even though Khosrowshahi acknowledged the company’s tardiness in dealing with this issue, he carried out a thorough examination of the facts with help from cybersecurity expert, Matt Olsen. He soon discovered the two men responsible for covering up the breach ousting CSO, Joe Sullivan, and his attorney, Craig Clark. Uber’s CEO also listed the actions he is currently taking to remedy the situation:
We are individually notifying the drivers whose driver’s license numbers were downloaded.
We are providing these drivers with free credit monitoring and identity theft protection.
We are notifying regulatory authorities.
While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
Still, these acts of admiration doesn’t mean that Uber is going to get off scot-free. The Attorney General of New York, Eric Shneiderman, has opened an investigation into the breach and will most likely penalize the company for not properly disclosing the hack to authorities. In addition, Britain’s Deputy Information Commissioner, James Dipple-Johnstone said today the fines will be higher because U.K. Citizens “should have been notified so that we could assess and verify the impact on people whose data was exposed.” Parties from every end of the spectrum are appalled that Uber attempted to hide this breach from the public and are now looking for swift justice.
We wish that we had better news for Uber who has been struggling to regain its public image in recent months. However, it seems as if all things must eventually come to light and the ridesourcing taxi company is having one hell of a time not being blinded by past mistakes. I think everyone is curious to see how this will influence the recently announced tender offer for Uber employees and if this will make their partnership with Softbank come to a screeching halt.
Will this impact your involvement with Uber and how do you feel about Uber’s response to the breach? Do you think this is the beginning of the end for Uber or will they find a way to push through? Let us know what you think by dropping us a note below and stay tuned for the latest updates!