Probes, backlash over Uber hacking
Fallout from Uber’s massive data breach could include legal actions against the ride-hailing company over its yearlong cover-up.
Uber CEO Dara Khosrowshahi, who took the reins of the beleaguered company in August, spearheaded Uber’s disclosure of the hack Tuesday after a board investigation uncovered it. Uber is informing authorities, notifying the 57 million affected drivers and passengers, and providing free identifytheft monitoring for drivers. But those actions have come more than a year after the October 2016 data theft.
Uber’s failure to act earlier could hamper the company in a range of ways, including through investor backlash, class-action lawsuits and investigations by authorities worldwide, including U.S. states and the Federal Trade Commission.
Most states have data-breach notifi-
cation statutes, including California, which pioneered the laws. The attorneys general of New York, Illinois, Massachusetts, Missouri and Connecticut have said they are investigating Uber’s possible violation of these laws.
“We have serious concerns about the reported conduct,” Massachusetts Attorney General Maura Healey said in a statement.
The California attorney general’s office said in a statement that it “vigorously protects the rights and interests of the nearly 40 million people of our state and that includes protecting them against disclosure of their privacy data.” But it did not comment on potential investigations or prosecutions. The office said Uber has informed it of the breach and submitted a sample of the notification letter it will send to affected drivers.
Uber said Tuesday that names and driver’s license numbers were stolen from 7 million drivers worldwide. That combination would trigger most states’ disclosure requirements, said Kurt Opsahl, general counsel of the Electronic Frontier Foundation, a nonprofit that defends civil rights in the digital world. Customers’ names, emails and mobile numbers were also hacked, but Opsahl said the theft of the customer information may not trigger the states’ requirements because no Social Security numbers, birth dates, credit card numbers, medical or insurance information were involved.
Uber has said there is no sign that the hackers used the stolen data. The company paid the two hackers $100,000 to delete the data and keep quiet about the theft. That has raised eyebrows.
The company could also face federal scrutiny. The FTC, the nation’s privacy watchdog, already penalized Uber in August for privacy and security violations, such as allowing employees to access information about riders’ trips. Now the FTC may revisit Uber’s practices. Some members of Congress on Wednesday urged the agency to do so and raised the prospect of congressional hearings.
“We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach,” the FTC said in a statement. “We are closely evaluating the serious issues raised.”
Several nations, including the United Kingdom, Australia and the Philippines, said they also are investigating Uber’s withholding of information about the hack.
The potential government actions would probably target the company, not executives, such as co-founder and former CEO Travis Kalanick, who knew of the data hack a month after it happened, or Joe Sullivan, who served as Uber’s chief security officer until he was fired this week. “I’m not aware of a case in which an executive was held personally responsible when a company failed to follow a breach notification,” Opsahl said.
At least one classaction suit has been filed in Los Angeles on behalf of affected customers and drivers, Bloomberg reported. Even if the stolen data weren’t misused, “the loss of the privacy and integrity of your data is a harm,” Opsahl said.
Uber’s actions — and inactions — could also initiate a Securities and Exchange Commission probe. If the break-in is material to Uber’s valuation, failing to disclose it could be seen as misleading investors, Opsahl said. Revelations of a huge data breach at Yahoo cut $350 million off the price Verizon paid for the company’s core operations this year.
Similarly, Japan’s SoftBank, which is negotiating a prospective $10 billion investment in Uber, could demand a lower price as a result of the hack, Opsahl said.
But the biggest hit may be in the court of public opinion.
Uber’s reputation is already battered. Besides its history of headbutting with regulators worldwide, it has recently been beset by allegations of aggressive corporate culture, revelations of programs to thwart regulators and snoop on customers and journalists, a lawsuit by Waymo alleging trade-secret theft, and turmoil on its board. Khosrowshahi was named CEO in August, replacing Kalanick, and is tasked with cleaning up the mess and moving the company forward.
“For any company to succeed in this information economy, customers have to be willing to trust it with a lot of data,” Opsahl said. “This is a severe blow to that trust.”
Likewise, Kowsik Guruswamy, CTO of Menlo Security, said, “the moment you hide something and pay off somebody, it does erode consumer confidence. It comes across as trying to keep this hush-hush.”
The consequences could expand beyond the company itself if the now-frequent revelations about data breaches shake consumers’ confidence about being online. Equifax, Target, Anthem and Yahoo, for instance, were all victims of even bigger data breaches than the Uber one.
“It would have massive consequences for the economy if people lost trust in the Internet,” said Steven Weber, professor of information science at UC Berkeley. He’s also director of the Center for Long-Term Cybersecurity. Joe Sullivan, just fired from Uber, sits on its advisory board.
“Imagine if there’s a point where three-quarters of people suddenly say, ‘I have to assume all my personal information will be stolen online,’ ” Weber said. “That would change people’s behavior.”