Uber may have come clean about the grievous hack that exposed data for 57 million users, but it apparently took its time getting to that point. Wall Street Journal sources have learned that new CEO Dara Khosrowshahi was informed about the data breach two weeks after he took the reins on September 5th, or more than two months before informing the public. There were reasons for the delay, according to the tipsters, but it still meant leaving people out of the loop.
Khosrowshahi did order a prompt investigation, as he claimed, but Uber and Mandiant (the digital forensics unit of FireEye) wanted to determine exactly how many users were affected and fire the two executives that covered up the attack. Uber told its would-be investor SoftBank about the breach roughly three weeks before the WSJ scoop, but it still didn’t know just how many people were at risk.
Uber has confirmed the broader claims of the report. The company informed SoftBank with incomplete info because of its “duty to disclose to a potential investor,” according to a statement, and revealed the breach in a “very public way” once its investigation wrapped up.
While Khosrowshahi inherited the hack from the previous management under Travis Kalanick and isn’t facing much of a direct threat, the revelation isn’t exactly going to help Uber as investigators from the FTC and individual states look into what happened. They may want to know why Uber’s inquiry took so long, and whether or not Uber could have offered a basic warning to customers as soon as it knew their data was at risk. It’ll need to have satisfactory answers if it wants to avoid the same kind of scrutiny as Equifax and other high-profile hacking targets.