Uber Technologies, Inc., the latest victim of a high-profile data theft, is taking heat for its handling of the 2016 incident – first disclosed last week – in which account information for 57 million riders worldwide was stolen. The theft was made public in a blog post written by the company’s new chief executive officer Dara Khosrowshahi.
Khosrowshahi wrote that Uber tracked down the two hackers and “obtained assurances that the downloaded data had been destroyed.” It’s been reported that Uber paid the duo $100,000 in exchange for those assurances. And, according to the company, there have been no reports that the stolen data has been misused.
Here’s what else we know so far:
- “[I]n late 2016 we [Uber] became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”
- The personal information for 57 million Uber users from “around the world” was stolen including names, email addresses and mobile telephone numbers.
- Approximately 600,000 drivers were also affected in the U.S. Their names and driver’s license numbers were taken.
The company has confirmed that no trip information, credit cards numbers, birthdates or social security numbers were compromised.
Although the ride-hailing company has not disclosed additional details, Khosrowshahi’s post suggests that the theft was discovered quickly, an investigation followed including putting together a forensic trail which led to the data thieves. It’s not been disclosed whether the culprits were employed by the cloud provider that was apparently hacked.
The company has been criticized for both its payment to the hackers and failure to announce the theft earlier.
The legal and regulatory implications of the theft are still unfolding. Regulators from around the globe including the U.S., EU, Mexico, Canada, Australia, and the Philippines are investigating the theft. At least five states have also launched investigations.
So far, three putative class action lawsuits have been filed in California and Oregon alleging that Uber failed to protect consumer data. The lawsuits also allege that Uber failed to notify consumers in a timely manner as required by various state laws.
Uber is already operating under an August 2017 U.S. Federal Trade Commission consent order related to an earlier data breach. In 2014, a hacker accessed personal information for more than 100,000 Uber drivers that was stored in a third-party cloud provider. The consent order requires Uber to implement a comprehensive data security program “that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company,” and to undergo independent data security audits for the next 20 years.
The company’s disclosure of the most recent incident couldn’t have come at a worse time. It is in the midst of a trying to complete a deal with SoftBank Group Corp., the Japanese firm, for a $10 billion investment. It’s unclear whether this news will trigger a renegotiation of the deal terms.