22/11/2017
Uber failed to tell its users or regulators about a massive data breach that included the names, email addresses and phone numbers of some 57m passengers and drivers, the car-booking company admitted on Tuesday.
The New York Attorney General’s office said it had opened an investigation into the data breach, in a sign of the legal reckoning that Uber could face from regulators around the world over its handling of the incident.
Uber realised that its user information had been hacked in December 2016 but, instead of notifying regulators or the people affected, it paid $100,000 to the hackers to get them to destroy the stolen information, the company said.
Essential stories related to this article
Dara Khosrowshahi, chief executive, who took the helm at Uber in September, issued an apology and said he had started an investigation into the breach as soon as he learnt about it.
He also asked for the resignation of Joe Sullivan, its chief security officer, a former federal prosecutor and previously head of security at Facebook, who was one of the most senior executives at the company.
None of this should have happened, and I will not make excuses for it
Dara Khosrowshahi, Uber chief executive
The news comes at a sensitive time for the company, as it works to finalise an investment deal from a SoftBank-led consortium that could be worth up to $10bn and to move on from a string of self-inflicted governance crises.
“None of this should have happened, and I will not make excuses for it,” Mr Khosrowshahi wrote in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business,” he wrote.
The personal details of some 7m drivers — including driver’s licence numbers for some 600,000 US drivers — were affected by the breach, along with account details from about 50m passengers.
Uber said it had informed regulators around the world of the breach on Tuesday, as well as individually contacting the US drivers whose licence numbers had been taken. The company has not seen unusual activity on the accounts that were affected, according to a person familiar with the investigation.
Although the data breach did not include information such as credit card numbers or trip histories, the fact that it was not disclosed sooner and that the hackers were paid off could present a legal headache for the company.
Katie Moussouris, founder of Luta Security, said that the law requires companies to report a breach in a “reasonable timeframe”.
“It is clear that Uber took about a year, which doesn’t seem like a reasonable timeframe,” she said. The Federal Trade Commission and EU regulators were likely to investigate the hack, she said. If the company covered up the hack, it could be criminally liable in the US, she said.
Uber’s payment to the hackers behind the attack is unusual, with few companies ever admitting to paying attackers because it could encourage more attacks in the future.
“A big part of the shock and disappointment comes from the fact that Uber appears to have paid hush-money to keep this under wraps for a full year,” said Kowsik Guruswamy, chief technology officer at Menlo Security.
The vast majority of cases where companies have paid hackers are when they have been hit with ransomware, which demands much smaller sums to unencrypt their data. Even in those cases, the Federal Bureau of Investigation advises against paying ransoms. The most high-profile example was when Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin last year to hackers who seized control of the hospital’s computer systems.
Mr Khosrowshahi’s decision to publicly announce the data breach — during a holiday week as the US celebrates Thanksgiving — represents an effort by him to get skeletons out of the closet during the first months of his tenure.
One of his big recent hires was a new chief legal officer, Tony West, whose first day at Uber will be on Wednesday. The company has also engaged Matt Olsen, a cyber security expert, a former general counsel of the US National Security Agency, to advise on a restructuring of its security team following the revelations around the data breach.
Uber is already facing several federal legal probes in the US, and will go to trial next month in a lawsuit in which it is accused of stealing trade secrets related to self-driving car sensors, an accusation that Uber denies.
No comments:
Post a Comment