China Daily Global Edition (USA)
Uber faces probes over hacking cover-up
Governments around the globe launched investigations into Uber Technologies Inc after the company disclosed it had covered up a breach that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.
Authorities in the United States and the United Kingdom, two top Uber markets, as well as Australia and the Philippines said on Wednesday that they would investigate the company’s response to the data breach.
Some US lawmakers called for congressional hearings and implored the US Federal Trade Commission (FTC) to look into the matter.
Uber said on Wednesday that it has been in contact with the FTC and several states to discuss a hack last year that exposed data on millions of customers and drivers.
“We’ve been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward,” an Uber spokesperson said in an emailed statement.
Uber, based in San Francisco, started operating in China in 2013. In August 2016, Uber China’s business and China’s Didi Chuxing announced they would merge, with Didi purchasing Uber’s China operations, while Uber took a 17.7 percent stake in Didi.
The combined company is worth an estimated $35 billion, according to some reports.
Analysts said the main reason behind the merger was to cut costs in the battle for leadership of China’s fast-growing ride-hailing market.
After the merger, the Uber app that is used globally was disabled in China. Travelers who want to book a ride through Uber there will have to download a separate Uber China app that’s available only in Mandarin and doesn’t accept foreign credit cards.
Uber said on Tuesday that in late 2016, it had paid hackers $100,000 to destroy data on more than 57 million customers and drivers that was stolen from the company, and it decided not to report the matter to victims or authorities.
The company’s chief executive had acknowledged in a blog on Tuesday that the company had erred in handling the breach.
The data breach at Uber holds a lesson for software developers who use third-party services to store and share code: be careful what you share, Bloomberg.com reported.
Services like Github Inc., GitLab and SourceForge are used by developers to collaborate on projects, track bugs in code and distribute early versions of applications. They’re also a target for cyberthieves.
The hackers gained access to a password-protected area of Github, one of the most popular code storehouses in the world.
“Code depositories can be very problematic,” said Chris Boyd, an analyst at cybersecurity company Malwarebytes Inc. Many companies are slow to remove login details for these storage services when developers leave.
Earlier this month, a security researcher found that software developers for Chinese drone manufacturer SZ DJI Technology Co had left the private keys for their Amazon Web Services cloud account and all the company’s websites in code they posted publicly on Github.
Attorneys general in at least four US states — Connecticut, Illinois, Massachusetts and New York — said they had launched investigations into the breach.
“We have serious concerns about the reported conduct,” Massachusetts Attorney General Maura Healey said in a statement.
US Senator Richard Blumenthal of Connecticut took to Twitter to call for the FTC to investigate Uber, describing the company’s behavior as “inexplicable” and asking for the FTC to impose “significant penalties”.
US Representative Frank Pallone of New Jersey called for a congressional hearing.
Money-losing Uber is known for the tough stance it has taken against regulators as it seeks to aggressively expand and compete with existing taxi services.
Britain’s data protection authority said it would work with agencies in the UK and overseas to investigate.
“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement.
The stolen information included names, email addresses and phone numbers of 57 million Uber users around the world, and the names and license numbers of 600,000 US drivers, according to a blog post by Uber’s new chief executive, Dara Khosrowshahi, who replaced co-founder Travis Kalanick as CEO in August.
Uber said it fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week. Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.
Sullivan declined comment. Clark could not be reached.
Kalanick, through a spokesman, declined to comment. The former CEO remains on the Uber board of directors, and Khosrowshahi has said he consults with him regularly.
A stream of executives have left Uber in recent months amid controversies involving sexual harassment, data privacy and business practices in Asia. The board removed Kalanick as CEO in June.