Toronto/San Francisco: Struggling ride-hailing firm Uber faces a fresh regulatory crackdown after disclosing it paid hackers $100,000 to keep secret a massive breach last year that exposed personal data from around 57 million accounts.
Discovery of the US company’s cover-up of the incident resulted in the firing of two employees responsible for its response to the hack, said Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.
“None of this should have happened, and I will not make excuses for it," Khosrowshahi said in a blog post.
Britain’s data protection authority said on Wednesday that concealment of the data breach raises “huge concerns" about Uber’s data policies and ethics.
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies," James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement. Current British law carries a maximum penalty of £500,000 ($662,000) for failing to notify users and regulators when data breaches occur.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 US drivers, Khosrowshahi said. Uber declined to say what other countries may be affected. Khosrowshahi also said Uber had begun notifying regulators. The New York attorney general has opened an investigation, a spokeswoman said. Regulators in Australia and the Philippines said on Wednesday they would also look into the matter.
Long known for its combative stance with local taxi regulators, Uber has faced a stream of top-level executive departures over issues from sexual harassment to data privacy to driver working conditions, which forced its board to remove Kalanick as CEO in June. In recent months, London’s transport regulator stripped Uber of its license to operate citing the company’s failure to deal with public safety and security issues, although Uber is appealing against the decision and the new CEO has held talks with Transport for London to resolve the stand-off.
The agency said it was seeking more information from Uber.
“We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London," a Transport for London spokesman said.
Britain’s National Cyber Security Centre said it was working with other national authorities to determine how UK citizens may have been affected, but added that it has no information, so far, that customer financial details had been compromised.
The breach occurred in October 2016 but Khosrowshahi said he had only recently found out about it. Bloomberg News first reported the data breach on Tuesday.
But Kalanick learned of the breach in November 2016, a month after it took place, a person familiar with the matter told Reuters. At the time, the company was negotiating with the US Federal Trade Commission over the handling of consumer data.
A board committee had investigated the breach and concluded that neither Kalanick nor Salle Yoo, Uber’s general counsel at the time, were involved in the cover-up, another person familiar with the issue said. The person did not say when the probe took place.
Uber said on Tuesday it was obliged to report the theft of the drivers’ license information and had failed to do so.
“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to customers," said Rik Ferguson, vice-president of security research at software firm Trend Micro. “That’s a pretty long list".
There is no evidence of fraud against passengers as a result of the data breach, while drivers whose license numbers had been stolen are being offered free identity theft protection and credit monitoring, Uber said. Two hackers gained access to proprietary information stored on GitHub, a service that allows engineers to collaborate on developing software code. There, the two people stole Uber’s credentials for a separate cloud-services provider where they were able to download driver and rider data, the company said. A GitHub spokeswoman said the hack was not the result of a failure of GitHub’s security. Reuters