Uber is now facing tough questions from Congress over a data breach last year that affected as many as 57 million user and driver accounts. It was revealed last week that the ride-hailing company paid $100,000 to hackers who accessed the user data in exchange for their silence.
The incident, which occurred more than a year ago and was kept under wraps, has raised concerns about what a responsible disclosure should look like in the wake of a major security breach. Furthermore, questions linger over whether Uber was acting in the best interest of its users or whether it was mostly concerned about its own image when it paid the hackers to delete the stolen data.
The stolen data, which included email addresses, phone numbers, and driver’s license numbers, was discovered by hackers on an Amazon server, which they accessed using credentials lifted from a private GitHub site used by Uber software engineers. Although it could be argued that handing over $100,000 to hackers is a small price to pay—the so called “cost of doing business”—there doesn’t seem to be any conceivable way that Uber could’ve ensured that the hackers actually deleted the data after receiving their hush money.
Both Joe Sullivan, Uber’s chief security officer, and Craig Clark, a lawyer who reported to him, were fired because of the incident. On Thursday it was reported that Uber’s new CEO, Dara Khosrowshahi, who took over for Travis Kalanick following a string of scandals, became aware of the breach two weeks after becoming CEO. However, Uber waited for an additional two months to disclose the incident.
Now, both Democrats and Republicans in Congress are pressuring Uber to reveal further details behind the “troubling” reports of how the company handled the hack.
In a letter Monday, Sen. Mark Warner, the ranking Democrat on the Senate Banking Subcommittee on Securities, Insurance and Investment, wrote that he had “grave concerns” about the breach, which impacted millions. Uber’s conduct, he said, “raises serious questions about the company’s compliance with state and federal regulations.”
Most states have specific laws in place for handling data breaches on this scale, which includes a patchwork of notification requirements. In some states, public notification is required within 30 days of when the company learns of the breach and may even require the company to notify the media when a considerable number of consumers are impacted. In California, for example, a company involved in a major breach is required to “conspicuously” post information about the breach on its website.
Below are just a few of the questions to which Sen. Warner has asked Uber’s Khosrowshahi to respond (read Warner’s full letter here):
- According to reports, Uber’s systems were breached after the attackers discovered log-in credentials to an AWS account used to handle payments. Why weren’t more robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data?
- Who conducted the initial investigation for Uber that successfully identified the hackers? What “assurances” were provided by the hackers to prove they did, in fact, delete the compromised data?
- Unlike ransomware payments, in which payment is made to recover or regain access to inaccessible data or systems, it appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach. What rationale was provided by senior executives for covering up this breach?
Sen. John Thune, who chairs the Senate Commerce Committee, also sent a letter on Monday, co-signed by three other lawmakers, including Sen. Orrin Hatch, Republican of Utah and chairman of the Senate Finance Committee. The Republicans’ letter likewise requests specifics regarding when Uber first learned of the hack, what steps Uber has taken to notify victims, and who authorized the payments to conceal the hack. (Read Thune’s full letter here.)
“[T]he nature of the information currently acknowledged to have been compromised, together with the allegation that the company concealed the breach without notifying affected drivers and consumers, and prior privacy concerns at Uber, make this a serious incident that merits further scrutiny,” the lawmakers wrote.