Up until recently, it was unknown that Uber’s data, including the personal information of millions of riders and drivers, was breached. This announcement of the breach comes just as Uber prepares to seek an initial public offering (IPO) in 2019.
With all of this new information coming out of what Uber did to cover up the breach and how much they are paying now in a settlement, Uber will have to work even harder to repair its image. Here’s what happened and what Uber is saying in response to it.
As of recent news, Uber is paying out $148 million in settlement claims over their 2016 data breach, when hackers stole personal information of at least 25 million customers and drivers in the U.S. Instead of reporting the security breach, which by law, Uber was responsible for doing, they paid their hackers $100,000.
Discovering The Breach
That was back in 2016 and it wasn’t until November 2017 that Bloomberg News reported the breach and Uber CEO Dara Khosrowshahi revealed exactly what information the hackers retrieved. They reportedly downloaded the names, email addresses and mobile phone numbers of 57 million Uber users around the world. This figure also includes 607,000 of the company’s drivers, whose names and license numbers were also at risk.
Failure to Disclose
The Federal Trade Commission (FTC) said that Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. “After misleading consumers about its privacy and security practices, Uber compounded its misconduct,” said Maureen Ohlhausen, the acting FTC chairwoman.
She announced an expansion of the 2017 settlement saying that the new agreement was “designed to ensure that Uber does not engage in similar misconduct in the future.” In the 2016 breach, hackers in a data-storage service run by Amazon.com Inc. obtained the unencrypted consumer personal information relating to U.S. riders and drivers.
The hackers then approached Uber and demanded $100,000 to delete their copy of the data, according to The New York Times, a ransom that Uber paid. The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to current and former employees who spoke out about the incident.
Concealing The Damage
But, then, Uber went even further. The company reportedly tracked down the hackers and pushed them to sign nondisclosure agreements to further conceal the damage. Uber executives also claimed that the payout was part of a “bug bounty,” which is a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.
These “bug bounty” programs are deals offered by many websites and software developers by which people can receive compensation for reporting bugs, especially those pertaining to exploits. The programs allow the developers to discover and resolve bugs before the general public is aware of them. Bug Bounty programs have reportedly been used by major companies like Facebook, Google, Yahoo, and Microsoft.
The details of this attack remained hidden up until September 2018, when Uber said it discovered the breach as part of a board investigation into its business practices. Uber’s Chief Legal Officer, Tony West, wrote in a blog post on September 26, 2018, addressing the issue. He said: “My first day at Uber was not typical.”
“Rather than settling into my new workspace and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators to discuss the 2016 data incident the company had just disclosed. Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West wrote.
He continued by emphasizing that “an important component to living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.” West explained that Uber is moving forward by improving their “safety and security” and hiring experts like Ruby Zefo as chief privacy officer and Matt Olsen as chief trust & security officer.
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world,” West added.
In Uber’s initiative to “clean up,” the security officer, Joe Sullivan, has been fired and the former chief executive, Travis Kalanick, was kicked out in June (although he remains on Uber’s board). Khosrowshahi, who was chosen to be the chief executive of Uber in late August, said he only recently learned of the breach. “None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a company blog post.
What Was Downloaded
He said that forensic experts did not see any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. Although, some personal information including names, email address, and mobile phone numbers, were downloaded. “You may be asking why we are just talking about this now, a year later,” Khosrowshahi said. “I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
Khosrowshahi explained that the actions he took notified the drivers whose license numbers were downloaded, providing those drivers with free credit monitoring and identity theft protection, notifying regulatory authorities, and monitoring the affected accounts and flagging them for additional fraud protection. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” Khosrowshahi said.
Uber’s decision to conceal the breach and pay the ransom quickly raised questions among security experts. Many experts have warned companies against paying hackers a ransom to cover up breaches or return stolen data. This advice was included in an April 2016 FBI statement which said: “The FBI doesn’t support paying a ransom in response to a ransomware attack.”
“Paying a ransom doesn’t guarantee an organization that it will get its data back – we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals,” said FBI Cyber Division Assistant Director James Trainer.
Rebuilding its Image
The announcement of the breach means that Uber will have to work even harder to repair its image as it prepares to seek an IPO in 2019. While it is not illegal to pay money to hackers, Uber may have violated several laws in its interaction with the hackers.
Uber may have violated a Federal Trade Commission rule on breach disclosure that prohibits companies from destroying any forensic evidence in the course of their investigation. Uber may also have violated state breach disclosure laws by not disclosing the theft of their drivers’ stolen data. If the stolen data was not encrypted, they would have been required by California state law to disclose that driver’s license data from its drivers.
The way the breach was kept quiet reminded people of some of the practices that Kalanick implemented while at Uber. The New York Times also reported on a secret program called Greyball, in which Uber staff members monitored law enforcement officials in order to evade them. “The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials who were trying to clamp down on the ride-hailing service,” the report said.
Another Possible Violation
“At a time when Uber is already under scrutiny for its boundary-pushing workplace culture, its use of the Greyball tool underscores the lengths at which the company would go to dominate its market.” It’s possible that Greyball could be considered a violation of the Computer Fraud and Abuse Act, or an intentional obstruction of justice, according to Peter Henning, a law professor at Wayne State University. It’s uncertain what Uber will do next.