Uber: ‘No justification’ for covering up data breach
An Uber executive told Congress on Tuesday that there was “no justification” for the company covering up a massive 2016 data breach that exposed the information of 57 million people.
“I think we made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement,” John Flynn, Uber’s chief information security officer, told a Senate panel.
Flynn confirmed reports that the company paid one of the hackers $100,000 to destroy the stolen data and to not disclose the breach publicly.
Uber made the payment through a “bug bounty” program, which generally offers financial rewards for cybersecurity researchers who identify vulnerabilities for companies. Flynn on Tuesday said paying off malicious hackers was improper use of such a program.
“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he said in his written testimony. “The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed.”
The 2016 breach exposed information like names and email addresses for 57 million users and the driver license numbers of about 600,000 drivers. Flynn said on Tuesday that about 25 million of the users affected were in the U.S.
He also revealed that one of the hackers responsible was in Florida and the other was in Canada.
Lawmakers on the Senate Commerce consumer protection subcommittee blasted the company’s handling of the breach.
“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Sen. Jerry Moran (R-Kan.), the panel’s chairman.
“There ought to be no question here that Uber’s payment of this blackmail without notifying consumers who were greatly at risk was morally wrong and legally reprehensible and violated not only the law but the norm of what should be expected,” added Sen. Richard Blumenthal (D-Conn.).
Blumenthal also pointed out that during the time between when the hack occurred in 2016 and Uber’s revelation of it in November 2017, the company was negotiating a settlement with the Federal Trade Commission over charges of deceptive privacy claims and an earlier, smaller breach.
Updated at 4:57 p.m.