Uber faces new crisis after massive hack

Uber faces new crisis after massive hack

Uber is reeling from a new controversy over revelations that the company tried to cover up a massive breach last year in which hackers pilfered information from 57 million of its customers.

As a result of the hack, the ride-share company now faces probes from multiple state attorneys general, as well as international regulators in Europe.

The concerns are not only limited to the breach itself; the strongest ire is coming from regulators over how Uber handled the cyberattack. The ride-sharing firm initially kept the massive breach a secret, which new CEO Dara Khosrowshahi acknowledges Uber should not have done.

More alarmingly, Uber paid the hackers $100,000 in exchange for destroying the files and, according to The New York Times, made the hackers sign nondisclosure agreements to cover up the cyberattack.


The development is the latest in a series of scandals for the company that earlier this year forced the resignation of CEO Travis Kalanick.

His successor has been left to clean up the mess.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi wrote in a blog post Tuesday disclosing the breach.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

The episode took place late last year when hackers gained access to names, email addresses and phone numbers of 57 million Uber users worldwide, as well as the driver’s license numbers of roughly 600,000 U.S. drivers.

Kalanick, who at the time was CEO, learned of the breach a month after it occurred. The company is said to have fired two executives who were involved in the response to the breach and its subsequent cover-up, including chief security officer Joe Sullivan.

Legal experts say the company is likely to be faulted for running afoul of breach notification laws in the states that have them where customer data was compromised.

Attorneys general in at least three states, including Massachusetts and New York, have already launched investigations into the hack.

Steve Rubin, head of the cybersecurity legal practice at Moritt Hock & Hamroff, told The Hill that the incident is likely to trigger an investigation by the Federal Trade Commission (FTC), which has already faulted Uber for making deceptive claims about data privacy.

“This wasn’t simply a data breach,” Rubin said. “They went further and they tried to pay off a hacker in order to avoid their obligation to report to attorneys generals.”

“Companies get punished for that,” Rubin said.

The FTC hasn’t commented on whether or not it will investigate the matter, but an agency spokesperson said in an emailed statement that it is “closely evaluating the serious issues raised.”

The development has already triggered blowback on Capitol Hill, with a key Democrat jockeying for an investigation.

“The security breach shows a sloppy approach by the company to protecting consumer data, and demonstrates a severe breach of trust with the public, its own employees and regulators who it failed to notify in a timely manner,” said Rep. Frank Pallone, Jr. (D-N.J.), ranking member of the House Commerce Committee.

“If Uber did indeed secretly pay-off the hackers to keep the breach quiet, then a possible cover up of the incident is problematic and must be investigated,” he added in his statement.

The developments have some of the hallmarks of the Equifax data breach, which the credit reporting firm said in September impacted 145 million Americans earlier this year.

Equifax executives have been hauled before congressional committees in Washington to explain why it took several weeks for the firm to notify consumers of the incident.

For Uber, the hack renews the scandal surrounding the company that had temporarily died down after Kalanick was pushed out as CEO.

Uber became embroiled in controversy earlier this year after the company faced sexual harassment allegations, prompting an investigation by former Attorney General Eric HolderEric Himpton HolderObama: Voting rights bill must pass before next election NYC voters set to decide Vance's replacement amid Trump probe Obama planning first post-2020 fundraiser MORE into the company’s culture.

Kalanick faced other scandals as well, including the emergence of a tape that showed him engaging in a heated exchange with a driver about fare declines, and revelations that Uber had been using a software tool called Greyball to evade state and local regulators investigating the ride-sharing firm.

After Khosrowshahi took over for Kalanick in August, the former Expedia CEO appeared poised to lead Uber in a new, scandal-free direction. With news of the breach, however, it appears Khosrowshahi will be stuck picking up the pieces left by his predecessor.

Still, his presence at Uber's helm might be what helps the embattled company skate by its latest PR fiasco.
"The Uber brand is about as tarnished as it gets in 2017," said Matt Rizzetta, CEO of the brand communications agency North 6th. "There is no goodwill and trust in Uber as a brand at this point."
Rizzetta said the company's move to issue statements through Khosrowshahi, as opposed to the company itself, will help them.
"This crisis predates his tenure with the company. He has a rock-solid brand. They’re choosing to go with the messaging of their CEO and that might save them."