Earlier this week, Uber dropped a bombshell by disclosing details of a data breach involving some 57 million user accounts—and then admitting to paying the hackers $100,000 to destroy the stolen data and keep their mouths shut. Disturbingly, this all happened over a year ago, and as it now turns out, Uber’s new CEO, Dara Khosrowshahi, has known about the hacks since he took the helm back in September.
Following a string of scandals and mounting shareholder pressure, Travis Kalanick resigned his role as Uber CEO in June. Dara Khosrowshahi, who assumed the role on September 5, was supposed to be a kinder, gentler chief executive of the ride hailing company, but as The Wall Street Journal reports, this song is starting to sound familiar. What’s that classic lyric in the Who’s “Won’t Get Fooled Again?”
Meet the new boss...same as the old boss...
Khosrowshahi learned of the breach about two weeks after becoming CEO, waiting for over two months to pull the trigger on a public disclosure.
In October 2016, hackers illicitly accessed the email addresses and phone numbers of around 57 million Uber customers, while also accessing the license numbers of about 600,000 drivers. Uber officials, including security personnel, knew about the hacks, but they kept quiet, slipping $100,000 to the hackers to do the same. The breaches happened under the not-so-watchful eye of Kalanick, and Khosrowshahi was brought up to speed only after he took the helm, according to the WSJ. The new CEO reportedly ordered an immediate investigation into the incident.
Three weeks ago, Uber fessed-up to SoftBank Group Corp—a company that’s currently considering a multibillion-dollar investment in the company. The WSJ says an investigation by FireEye’s Mandiant, a cybersecurity firm, was underway by the time Uber broke the news to SoftBank Group.
Since the news of the hacks broke earlier this week, several inquiries, including some in the US and in Europe, have been launched to understand why it took Uber more than a year to disclose the hacks. In regards to Khosrowshahi’s delay, it’s completely reasonable to ask how long an incoming CEO should wait before admitting to the public what happened (uh, maybe immediately?).
Most US states have laws requiring companies to notify regulators and consumers of a serious data breach within six to eight weeks, but given the sensitivity of the stolen information, it’s not unrealistic or unfair to ask a company to disclose a breach even sooner. This would afford customers the opportunity to take protective measures, such as changing their passwords.
Recent precedents being what they are, it seems that companies have gotten into the habit of taking their sweet time with these sorts of disclosures. Equifax waited six weeks to admit to a hack that compromised the personal information of 145 million customers, and Yahoo disclosed a massive data breach involving 500 million accounts late last year—a full two years after the incident occurred.
None of this is reassuring to customers, who have to put their faith in online companies when handing over sensitive information like email addresses, passwords, and credit card numbers. It’s time for the judicial system to hold these companies to a higher standard—and make them pay for these security screwups...lest we get fooled again.