Just when it looked like Uber had put the worst of a very bad year behind it, things have taken yet another turn for the worse, the ride-sharing giant acknowledging that hackers stole personal data from around 57 million user and driver accounts.
If that wasn’t bad enough, Uber officials went on to acknowledge they paid the data thieves $100,000, allegedly to destroy the information they had accessed, and then kept the news secret for a year. With memories of how consumer data firm Equifax kept its own breach quiet for months, Uber is coming under intense criticism, with regulators in the U.S. and Europe already threatening investigations.
“You may be asking why we are just talking about this now, a year later. I had the same question,” wrote Uber CEO Dara Khosrowshahi in a blog. “None of this should have happened, and I will not make excuses for it,” added Khosrowshahi joined the embattled firm in August following the ouster of founder and former CEO Travis Kalanick who was embroiled in a variety of scandals.
(Uber planning to buy 24,000 autonomous vehicles from Volvo. Click Here for more.)
It now appears that 50 million Uber riders had their personal data compromised, including names, email addresses and phone numbers. Another 7 million drivers were impacted, and about 600,000 of them also had their drivers’ license information accessed. If there’s any good news, Uber claims that the breach did not expose such things as dates of birth, Social Security numbers or credit card information – all data that would make it particularly easy to commit identity theft.
Once the breach was identified, Uber “identified the individuals and obtained assurances that the downloaded data had been destroyed,” wrote Khosrowshahi, for a payment of $100,000. As part of that payoff, meanwhile, the hackers agreed not to reveal what had happened.
So-called ransomware attacks have become increasingly common. The Wannacry episode, earlier this year, spread to 116 countries before it was contained, among other things shutting down operations at hospitals in Britain and Ukraine and even forcing Nissan to halt operations at several plants in Japan. But those who distribute ransomware typical follow up by providing digital keys to unlock encrypted data once they’ve been paid off.
One of the big questions being asked by observers today is whether the hackers who got into the Uber database really destroyed the information they stole or have used it, perhaps even sold it to other “black hat” hackers.
It is not clear who made the decision to continue maintaining secrecy about the breach, though the ride sharing service this week fired both Chief Security Officer Joe Sullivan, and key associate, Craig Clark. Meanwhile, Reuters is reporting that former CEO Kalanick learned about the problem in November 2016, a month after it occurred. At that point, Uber was already dealing with the Federal Trade Commission over concerns about the handling of consumer data.
“There is no question that the previous management and security team at Uber failed in their responsibility to their drivers, to regulators, to justice and above all to customers,” Rik Ferguson, vice president of security research at software firm Trend Micro, told the Bloomberg news service. “That’s a pretty long list.”
There’s a long list of other problems that have hammered Uber this past year, including allegations of gender and racial discrimination, the use of illegal software to thwart regulators and efforts to improperly block drivers from working for chief competitor Lyft.
Kalanick was blamed for creating a “baller” mindset at Uber that led to such cavalier behavior, critics contended as pressure ramped up to oust him. He nonetheless remains on the Uber board. Khosrowshahi has been forced to spend much of his time since joining Uber on damage control. Among other things, he has been negotiating with regulators in London who have moved to block the ride-sharing service from operating there.
Reversing that decision could now be more complicated, British regulators expressing outrage at the latest news
“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement.
Under British law a company could be fined the equivalent of about $660,000 for failing to notify customers in a timely manner when a breach occurs.
Uber has told its drivers it will put them under a one-year identity theft protection program.
An investigation has already been launched by the New York State attorney-general, and others could be added in Australia and the Philippines, according to wire service reports.
But the damage could grow substantially. In the wake of the various scandals that have occurred this past year, industry analysts have identified a sharp decline in Uber’s market share, much of it lost to Lyft.
Separately, Uber has been negotiating for a new, $10 billion investment by a consortium led by Japan’s SoftBank Group. Though there has been no comment from SoftBank observers warn it could lead to those talks being called off, or the consortium might try to renegotiate, especially if Uber’s value is seen as being tarnished by the stolen data scandal.
(Uber finally seemed on the mend after months of trouble. Click Here for the story.)