A new Uber scandal has once again put the Kalanick-founded ride-hailing company in hot water.
On Tuesday, reports about an alleged hacking incident which involves Uber Technologies Inc. made headlines. According to a story published by Bloomberg, the new Uber scandal exposes a security breach that the company concealed to its partner drivers and riders last year.
It was said that two unidentified hackers were able to steal data from an October 2016 attack that included names, email addresses, and phone numbers of around 50 million Uber riders around the world.
If that’s not bad enough, personal information of about 7 million drivers was compromised as well. The figure includes around 600,000 U.S. driver’s license numbers.
Fortunately, the company reported that no Social Security numbers, credit card information, trip location details or other data were stolen. According to Uber, the security breach remained a secret after the company paid the hackers a hefty sum of $100,000 USD.New #Uber #Scandal exposes a company data breach that was not disclosed to the public.Click To Tweet
New Uber Scandal: Kalanick’s Legacy
The new Uber scandal also exposes the participation of Travis Kalanick, the ousted CEO of Uber, and the company’s Chief Security Officer, Joe Sullivan. Current and former employees of the company who spoke on the condition of anonymity confirmed that Sullivan arranged the deal under Kalanick’s watch.
The two hackers allegedly stole the information by accessing a private GitHub coding site used by Uber software engineers. They used the login credentials they obtained there to access the data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers found the archive where Uber keeps its rider and driver information.
In a statement released by Uber’s new CEO, Dara Khosrowshahi, he said:
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
When asked for comment about the new Uber scandal, Chris Hoofnagle of the Berkeley Center for Law and Technology said that the company’s failure to disclose the breach was ‘amateur hour.’
“The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Federal and state laws require companies to notify all state residents of any security breach that compromises personal information. Furthermore, if a single breach affects over 500 residents, the attorney general must also be informed.
Khosrowshahi went on to say:
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
According to reports, Kalanick learned about the hack in November 2016, a month after it happened. Back then, the company just settled a lawsuit with the New York attorney general over data security disclosure and was in negotiation with the Federal Trade Commission over the handling of consumer data.
Before the new Uber scandal surfaced, the company’s board launched an investigation into the activities of Sullivan’s security team. The task was carried out by an outside law firm who later on uncovered the hacking incident and the failure of Kalanick to disclose it.
While the security breach was deemed relatively small compared to the Yahoo hacking incident last year and the Equifax breach this September, the situation was exacerbated by the extent to which the company’s higher executives were willing to go just to protect Uber’s reputation. It appears that Kalanick was willing to break users’ trust as well as state and federal laws to ensure that the company’s image remained untarnished.
The new Uber scandal tarnishes Sullivan’s reputation who joined Uber in 2015 as its first Chief Security Officer. Sullivan served as Facebook’s head of security for seven years and studied cyberlaw at the University of Miami. He was fired for his involvement in the breach last month together with Uber’s Legal Director, Craig Clark.
This is not the first time that hackers attacked Uber. In May 2014, the company also experienced data breach which the company disclosed in February 2015. That time, over 50,000 of the company’s driver names and licenses were compromised.
This latest issue has put Uber in another difficult situation just as the company is repairing its image and preparing to seek an initial public offering in 2019. The company reportedly hired former National Security Agency General Counsel Matt Olsen as an adviser and retained Mandiant, a FireEye-owned security firm, to conduct an independent investigation of the hacking incident.