Regulators to press Uber after it admits covering up
data breach
Send a link to a friend
 [November 22, 2017]
By Jim Finkle and Heather Somerville
TORONTO/SAN FRANCISCO (Reuters) -
Struggling ride-hailing firm Uber [UBER.UL] faces a fresh regulatory
crackdown after disclosing it paid hackers $100,000 to keep secret a
massive breach last year that exposed personal data from around 57
million accounts.
Discovery of the U.S. company's cover-up of the incident resulted in the
firing of two employees responsible for its response to the hack, said
Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief
executive in August.
"None of this should have happened, and I will not make excuses for it,"
Khosrowshahi said in a blog post. (http://ubr.to/2AmxlQt)
Britain's data protection authority said on Wednesday that concealment
of the data breach raises "huge concerns" about Uber's data policies and
ethics.
"Deliberately concealing breaches from regulators and citizens could
attract higher fines for companies," James Dipple-Johnstone, deputy
commissioner of the UK Information Commissioner's Office, said in a
statement. Current British law carries a maximum penalty of 500,000
pounds ($662,000) for failing to notify users and regulators when data
breaches occur.
The stolen information included names, email addresses and mobile phone
numbers of Uber users around the world, and the names and license
numbers of 600,000 U.S. drivers, Khosrowshahi said. Uber declined to say
what other countries may be affected.
Khosrowshahi also said Uber had begun notifying regulators. The New York
attorney general has opened an investigation, a spokeswoman said.
Regulators in Australia and the Philippines said on Wednesday they would
also look into the matter.
Long known for its combative stance with local taxi regulators, Uber has
faced a stream of top-level executive departures over issues from sexual
harassment to data privacy to driver working conditions, which forced
its board to remove Kalanick as CEO in June.
In recent months, London's transport regulator stripped Uber of its
license to operate citing the company's failure to deal with public
safety and security issues, although Uber is appealing against the
decision and the new CEO has held talks with Transport for London to
resolve the stand-off.
The agency said it was seeking more information from Uber.
"We are pressing them for the full details of what has happened so that
we can be satisfied that all the right protections are in place for the
personal data of drivers and customers in London," a Transport for
London spokesman said.
Britain's National Cyber Security Centre said it was working with other
national authorities to determine how UK citizens may have been
affected, but added that it has no information, so far, that customer
financial details had been compromised.
WHO KNEW WHAT WHEN?
The breach occurred in October 2016 but Khosrowshahi said he had only
recently found out about it.
Bloomberg News first reported the data breach on Tuesday.
But Kalanick learned of the breach in November 2016, a month after it
took place, a source familiar with the matter told Reuters. At the time,
the company was negotiating with the U.S. Federal Trade Commission over
the handling of consumer data.
A board committee had investigated the breach and concluded that neither
Kalanick nor Salle Yoo, Uber's general counsel at the time, were
involved in the cover-up, another person familiar with the issue said.
The person did not say when the probe took place.
Uber said on Tuesday it was obliged to report the theft of the drivers'
license information and had failed to do so.
[to top of second column] |
The chief executive of Uber Technologies Inc, Dara Khosrowshahi
attends a meeting with Brazilian Finance Minister Henrique Meirelles
(not pictured) in Brasilia, Brazil October 31, 2017. REUTERS/Adriano
Machado
"There is no question that the previous management and security team at Uber
failed in their responsibility to their drivers, to regulators, to justice and
above all to customers," said Rik Ferguson, vice president of security research
at software firm Trend Micro. "That’s a pretty long list".
There is no evidence of fraud against passengers as a result of the data breach,
while drivers whose license numbers had been stolen are being offered free
identity theft protection and credit monitoring, Uber said.
Two hackers gained access to proprietary information stored on GitHub, a service
that allows engineers to collaborate on developing software code. There, the two
people stole Uber's credentials for a separate cloud-services provider where
they were able to download driver and rider data, the company said.
A GitHub spokeswoman said the hack was not the result of a failure of GitHub's
security.
"While I can't erase the past, I can commit on behalf of every Uber employee
that we will learn from our mistakes," Khosrowshahi said.
FURTHER FALLOUT
Uber is negotiating with a consortium led by Japan's SoftBank Group <9984.T> for
fresh investment that could be worth up to $10 billion, sources told Reuters
earlier this month. SoftBank declined to comment on whether the security breach
could lead it to renegotiate terms of its proposed deal.
Uber said it had fired its chief security officer, Joe Sullivan, and a deputy,
Craig Clark, this week over their role in the handling of the incident.
Sullivan, formerly the top security official at Facebook Inc <FB.O> and a
federal prosecutor, served as both security chief and deputy general counsel for
Uber.
Sullivan declined to comment when reached by Reuters. Clark could not
immediately be reached for comment.
Kalanick, through a spokesman, declined to comment. The former CEO remains on
the Uber board of directors, and Khosrowshahi has said he consults with him
regularly.
Although payments to hackers are rarely publicly discussed, U.S. Federal Bureau
of Investigation officials and private security companies have told Reuters that
an increasing number of companies are paying criminal hackers to recover stolen
data.
Uber has a history of failing to protect driver and passenger data. Hackers
previously stole information about Uber drivers and the company acknowledged in
2014 that its employees had used a software tool called "God View" to track
passengers.
Khosrowshahi said on Tuesday he had hired Matt Olsen, former general counsel of
the U.S. National Security Agency, to restructure the company's security teams
and processes. The company also hired Mandiant, a cyber security firm owned by
FireEye Inc <FEYE.O>, to investigate the breach.
The new CEO has traveled the world since replacing Kalanick to deliver a message
that Uber has matured from its earlier days as a rule-flouting startup.
"The new CEO faces an unknown number of problems fostered by the culture
promoted by his predecessor," said Erik Gordon, an expert in entrepreneurship
and technology at the University of Michigan's Ross School of Business.
(Reporting by Jim Finkle in Toronto; Heather Somerville, Joseph Menn and Stephen
Nellis in San Francisco, Manolo Serapio Jr in Manila, Byron Kaye in Sydney, Sam
Nussey in Tokyo and Eric Auchard in London; Editing by Lisa Shumaker, Stephen
Coates and Adrian Croft)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
