On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
As we previously reported, Uber was the target of the high-profile data theft in late 2016, but did not disclose the incident until November 2017. The company was criticized for its failure to notify users. One lawmaker called Uber’s failure to timely notify users of the breach as “rais[ing] red flags … as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable.” Uber’s decision to remain silent was further questioned because the company was already in communication with the U.S. Federal Trade Commission concerning a previous data security incident. The ride-hailing company was similarly criticized for its $100,000 ransom payment to the hackers, which was the subject of Tuesday’s hearing.
Uber initially classified the payment as part of its “bug bounty program,” a program offered by companies and website developers to encourage the reporting of bugs and vulnerabilities. Flynn testified that the payment to the hackers, to keep the breach secret and delete the stolen data, was “not done consistent with the way our bug bounty program operates.” Uber has paid nearly $1.3 million through its bug bounty program. According to Senator Richard Blumenthal, “[a]t the same time Uber was negotiating with its blackmailers, it was speaking with the Federal Trade Commission,” calling the conduct “a form of obstruction of justice.”
Flynn emphasized that it was “wrong not to disclose the breach earlier,” stating that “there was no justification.” According to Flynn, Uber “did not have the right people in the room.” A number of lawmakers called for legislation setting national standards for companies to notify consumers and government agencies when data breaches occur.
Uber terminated its Chief Information Security Officer and his deputy months ago for their involvement in the breach. Several states and cities, as well as breach victims, have filed lawsuits against the company over the 2016 incident. There are also numerous law enforcement and regulatory agencies investigating the breach.