The appointment of Dara Khosrowshahi as head of Uber Technologies this summer was supposed to mark the beginning of a new chapter. The company had been racing from one disaster to the next, leading to boycotts, lawsuits, criminal probes, an executive exodus and an investor-led mutiny against the co-founder.
Somehow, the new chief executive officer keeps finding more horrors at every turn. The latest is a cyber-attack Uber had been concealing since last year that exposed personal
data on 57 million customers and drivers globally.
The company, which said it had paid hackers $100,000 to delete the data and keep quiet, disclosed the incident in a statement to Bloomberg on Tuesday, following an investigation commissioned by the board. The chief security officer and one of his deputies were ousted for their actions following the hack.
Khosrowshahi’s role so far looks less like a turnaround artist and more like chief apology officer on behalf of his predecessor, Travis Kalanick. Since he took over, London moved toward outlawing the service, citing “a lack of corporate responsibility.” Uber is appealing.
(“I apologize for the mistakes we’ve made,” Khosrowshahi said in response.) He then traveled to Brasilia to meet with officials there and ward off restrictions on Uber’s business. (“In the past, we were a bit aggressive,” he told a Brazilian newspaper.) And now the mishandled data breach. (“We will learn from our mistakes.”) The hacking fallout has already begun. Within hours of the disclosure, a customer filed a lawsuit seeking class-action status, and New York Attorney General Eric Schneiderman launched an investigation.
More states and the Federal Trade Commission, which had settled with Uber over another privacy matter in August, will probably pile on, said Jeremiah Grossman, chief of security strategy at SentinelOne, which aids companies with cyber-defense. “I’m sure they’ll get another call from the FTC,” he said.
Gadfly says Kalanick needs to come forward on Uber’s breach The ghosts of Kalanick’s past will scare up more problems.
The hack introduces an unexpected factor in negotiations between SoftBank Group Corp. and Uber shareholders over a planned investment of as much as $10 billion, a deal Khosrowshahi has been championing.
It may weigh on the company’s valuation, now at about $70 billion, ahead of an initial public offering expected in 2019. And the theft of customer data offers one more reason for people to switch to Lyft Inc., which was quickly gaining market share in the U.S. before expanding to Canada this month, or another local ride-hailing app.
The breach at Uber, while significant, is smaller than recent incidents at Yahoo or Equifax Inc., but the decision to keep it a secret for a year was particularly concerning.
Cyber-security experts said Uber’s payment to the two hackers in exchange for their discretion and assurances that they delete the data was very unusual.
“I was shocked,” said Kowsik Guruswamy, chief technology officer at Menlo Security. “Companies need to own up.” Experts also questioned whether Uber was able to verify the information was truly out of the attackers’ hands.