You are here: Home » Companies » News
Business Standard

Uber faces regulatory crackdown after concealing data breach

The breach occurred in October 2016 but chief executive Dara Khosrowshahi said he had only recently found out about it

Reuters  |  Toronto/San Francisco 

File photo: reuters
File photo: reuters

Struggling ride-hailing firm faces a fresh regulatory crackdown after disclosing it paid $100,000 to keep secret a massive breach last year that exposed personal data from around 57 million accounts.

Discovery of the company's cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post. (http://ubr.to/2AmxlQt)

Britain's data protection authority said on Wednesday that concealment of the data breach raises "huge concerns" about Uber's data policies and ethics.

"Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," James Dipple-Johnstone, deputy commissioner of the Information Commissioner's Office, said in a statement. Current British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur.

The stolen information included names, email addresses and mobile phone numbers of users around the world, and the names and license numbers of 600,000 drivers, Khosrowshahi said. declined to say what other countries may be affected.

Khosrowshahi also said had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said. Regulators in and said on Wednesday they would also look into the matter.

Long known for its combative stance with local taxi regulators, has faced a stream of top-level executive departures over issues from sexual harassment to data privacy to driver working conditions, which forced its board to remove Kalanick as CEO in June.

In recent months, London's transport regulator stripped of its license to operate citing the company's failure to deal with public safety and security issues, although is appealing against the decision and the new CEO has held talks with Transport for London to resolve the stand-off.

The agency said it was seeking more information from

"We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London," a Transport for London spokesman said.

Britain's National Cyber Security Centre said it was working with other national authorities to determine how citizens may have been affected, but added that it has no information, so far, that customer financial details had been compromised.

WHO KNEW WHAT WHEN?

The breach occurred in October 2016 but Khosrowshahi said he had only recently found out about it.

Bloomberg first reported the data breach on Tuesday.

But Kalanick learned of the breach in November 2016, a month after it took place, a source familiar with the matter told Reuters. At the time, the company was negotiating with the Federal Trade Commission over the handling of consumer data.

A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber's general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the probe took place.

said on Tuesday it was obliged to report the theft of the drivers' license information and had failed to do so.

"There is no question that the previous management and security team at failed in their responsibility to their drivers, to regulators, to justice and above all to customers," said Rik Ferguson, vice president of security research at software firm Trend Micro. "That's a pretty long list".

There is no evidence of fraud against passengers as a result of the data breach, while drivers whose license numbers had been stolen are being offered free identity theft protection and credit monitoring, said.

Two gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on developing software code.

There, the two people stole Uber's credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said.

A GitHub spokeswoman said the hack was not the result of a failure of GitHub's security.

"While I can't erase the past, I can commit on behalf of every employee that we will learn from our mistakes," Khosrowshahi said.

FURTHER FALLOUT

is negotiating with a consortium led by Japan's for fresh investment that could be worth up to $10 billion, sources told Reuters earlier this month. SoftBank declined to comment on whether the security breach could lead it to renegotiate terms of its proposed deal.

said it had fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the handling of the incident. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for

Sullivan declined to comment when reached by Reuters. Clark could not immediately be reached for comment.

Kalanick, through a spokesman, declined to comment. The former CEO remains on the board of directors, and Khosrowshahi has said he consults with him regularly.

Although payments to are rarely publicly discussed, officials and private security have told Reuters that an increasing number of are paying criminal to recover stolen data.

has a history of failing to protect driver and passenger data. previously stole information about drivers and the company acknowledged in 2014 that its employees had used a software tool called "God View" to track passengers.

Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of the National Security Agency, to restructure the company's security teams and processes. The company also hired Mandiant, a cybersecurity firm owned by FireEye Inc, to investigate the breach.

The new CEO has traveled the world since replacing Kalanick to deliver a message that has matured from its earlier days as a rule-flouting startup.

"The new CEO faces an unknown number of problems fostered by the culture promoted by his predecessor," said Erik Gordon, an expert in entrepreneurship and technology at the University of Michigan's Ross School of Business.

First Published: Wed, November 22 2017. 19:38 IST
RECOMMENDED FOR YOU