Lawmakers wonder if biz known for regulatory contempt flouted rules
Five US senators on Monday asked ersatz taxi biz and lawsuit magnet Uber to provide more details about how it allowed hackers in 2016 to pilfer personal information for 57 million customers and drivers.
The data theft, revealed last week and not to be confused with a May 2014 security blunder, led to a $100,000 bung to the hackers – disguised as a bug bounty payment – in exchange for destroying the copied records and keeping silent… to protect Uber’s image. It also led to the ousting of Uber’s security chief Joe Sullivan and Craig Clark, legal director of security and law enforcement.
Uber’s recently appointed CEO Dara Khosrowshahi issued a statement on November 21 about this latest lapse, which occurred before his arrival. “None of this should have happened, and I will not make excuses for it,” he said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
There’s no shortage of mistakes from which Uber may be able to create a corrective curriculum. Senators John Thune (R-SD), Orrin Hatch (R-UT), Jerry Moran (R-KS), and Bill Cassidy (R-LA) in a joint letter pointed to an August 2017 settlement with the US government’s Federal Trade Commission that was supposed to resolve deceptive privacy and data security practices.
“Our goal is to understand what steps Uber has taken to investigate what occurred, restore and maintain the integrity of its systems, and identify and mitigate potential consumer harm and identity theft-related fraud against Federal programs,” their letter stated.
Toward that end, the concerned four asked what Uber knew about the incident and when, the details of the reported covert payment, which regulators were informed, how Uber aims to mitigate consumer harm, and the steps the company has taken to meet its promises to the FTC.
Another senator, Mark Warner (D-VA), sent his own demand for information with more adversarial questions.
He asked why more robust protection, such as multi-factor authentication, wasn’t used to protect the Uber AWS account that got pwned. He also inquired how Uber could be sure the stolen data had been deleted, how senior executives rationalized covering up the incident, and why the data loss was disclosed to potential investors but not customers and drivers.
In addition, Warner questioned how Uber tracked down the hackers, raising the possibility that the company may have violated the Computer Fraud and Abuse Act. “As you know, no private right exists for companies to ‘hack back’ those who compromise their systems,” he wrote.
Uber also faces scrutiny from several states; almost every state in the US has some form of data breach notification law. The cash-burning profit-free, San Francisco-based upstart did not respond to a request for comment.