Sen. Mark Warner, D-Va., recently sent a letter to Uber CEO Dara Khosrowshahi calling for greater details on a hack that impacted millions of users and hundreds of thousands of drivers in November 2016 and was only reported to consumers in November 2017.
“Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations,” Warner wrote in the letter, which he published on Scribd. “According to reports, the handling of this major breach was led by your predecessor and his hand-picked chief security officer, both of whom have been alleged to have cultivated a corporate culture that encouraged senior management to ‘push legal boundaries and look the other way.’ While I applaud you for ordering an investigation, firing two senior executives implicated in the decisions related to the handling of this breach and pledging to cooperate with law enforcement, I have a number of questions to which I am eager to receive your answers.”
According to reports, instead of notifying the authorities of the hack in 2016 or being forced to pay ransom for the stolen data’s return, Uber tracked down the hackers themselves, agreeing to pay them $100,000 in exchange for a signed non-disclosure agreement and the destruction of the data.
“It appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach,” Warner wrote, raising additional concerns that the company may have “hacked back” against the perpetrators in order to uncover their identities, in violation of current law.
Khosrowshahi, who took over the position of CEO from Travis Kalanick in September 2017, began an investigation into the company’s response to the hack soon after assuming the position.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” wrote Khosrowshahi on the breach. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Warner also questioned why, if Uber had been able to identify the parties responsible, the company did not use that information to notify law enforcement of the hack.
“Uber’s decision to identify the responsible parties and commit them to a non-disclosure agreement thwarts law enforcement’s ability to bring criminal hackers to justice,” Warner wrote. “It conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals.”
Among the Senator’s questions were concerns over the company’s notification of the breach and subsequent coverup to prospective investors before the public and consumers impacted.
Public notification in the wake of a major breach has been of particular concern of late in Congress. Rep. Jim Langevin, D-R.I., introduced the Personal Data Notification and Protection Act in September 2017 after the Equifax breach of 143 million Americans’ personal information, which would establish standards governing when companies would be required to notify consumers that their data had been hacked.
Uber recently committed to providing affected drivers with free credit monitoring and identity theft protection and to notifying regulatory authorities.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers,” Khosrowshahi wrote.