In late November, Uber revealed that hackers had accessed the accounts of 50 million passengers and 7 million drivers in October 2016. When Uber learned about the hack a year ago, it paid the hackers $100,000 to delete the data and keep quiet, and apparently, the company decided to also keep quiet. Uber CEO Dara Khosrowshahi was told about the breach shortly after taking charge of the company in September, meaning he has known about the hack for over two months.
The company fired its former chief security officer Joe Sullivan and informed customers as soon as it concluded its investigation, but the fact that Uber had known for some time before going public is worrisome for customers, investors and regulators.
US Senate Republicans have since asked Uber for information about the consequences of the data breach. The Senators wrote to Uber’s executives that the fact that “the company concealed the breach without notifying affected drivers and consumers…makes this a serious incident that merits further scrutiny.” The Senate Commerce, Science, and Transportation Committee and the Senate Finance Committee will be conducting a probe to learn what steps Uber took and has since taken to investigate what occurred and improve the integrity of its systems.
The New York State Attorney General and officials in Connecticut, Illinois, and Massachusetts confirmed they will be opening an investigation into the incident. And several nations including Mexico, the United Kingdom, Australia, and the Philippines have said they are investigating Uber’s withholding of information about the hack. The Securities and Exchange Commission may also probe Uber if the break-in is material to Uber’s valuation and misled investors as a result.
To make matters worse, officials are also saying that Uber has violated a recent FTC consent order in which Uber agreed to follow laws in New York and 47 other states that mandate that companies inform people when their driver’s license numbers are breached. This means that Uber was aware of the hack at the same time it agreed to this order.
An Uber spokesman told CNET, “We’ve been in touch with several state Attorney General offices and the FTC to discuss the issue, and we stand ready to cooperate with them going forward.” According to CNET, Uber has acknowledged that hackers accessed names and email addresses, as well as the driver’s license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber is providing the 7 million drivers affected with free identity theft monitoring, but they may have been a year too late for many, which could lead to a flood of class-action lawsuits.