Last week, Uber revealed a massive data breach that happened last October. Uber hid the breach from both customers and drivers, and paid the hackers $100,000 to keep quiet.
In October 2016, hackers had access to data on 50 million Uber riders, and 7 million drivers. Uber stated that the information taken from customers included names, email addresses, and phone numbers. As for the drivers, around 600,000 U.S. driver’s license numbers were taken, though no social security numbers or credit card information was compromised.
Uber had a legal obligation to report the hack to regulators and those drivers whose license numbers were taken. Instead, Uber paid off the hackers in exchange for silence and deleting all the data. Uber disclosed the information about the hack last week, for unknown reasons, and the New York Attorney General promptly launched an investigation.
According to Uber, Travis Kalanick, Uber’s co-founder and former CEO was aware of the attack last November, a month after it happened. Current CEO Data Khosrowshahi says that the breach “should not have happened”, and Uber has been changing the way they do business since Travis Kalanick left. Khosrowshahi informed the attorney general and the FTC about the hack, and asked for the resignation of Joe Sullivan, Uber’s Security Chief who was involved in the hack, and fired Sullivan’s lawyer.
Ironically, in January 2016 Uber was fined $20,000 for neglecting to disclose a previous data breach that occurred in 2014. Uber will be facing serious legal implications as a result of the investigation into the lack of disclosure for the attack. Regulators are not satisfied with just an apology from current Uber CEO.
Members of Congress and state lawmakers are continuing to question Uber and express their concerns. Lawmakers are looking for details about a full timeline of the events, and assurance that the drivers and riders whose information was stolen are protected. Part of the criticism is that since Uber paid $100,000 ransom and required hackers to sign a nondisclosure agreement, the hackers are not able to be punished for their actions.
Uber released information of the hack just before Thanksgiving, likely in hopes that it would be ignored. Now, a week later, Uber is still aggressively receiving criticisms. Customers, drivers, and regulators alike are looking for more information, and they won’t stop until they get the answers they’re looking for.