On November 21, Uber admitted it had paid $100,000 to hackers. In return, the hackers agreed to not disclose a breach of user data that had occurred in October 2016. This data included names, email addresses, and mobile phone numbers of users. It additionally contained the names and driver’s license numbers of 600,000 U.S. drivers.
Joe Sullivan, Uber’s Chief Security officer and deputy general counsel and Craig Clark, his deputy, were terminated for their role in the hack cover-up.
The announcement comes at a difficult time for Uber’s new CEO, Dara Khosrowshahi who was named CEO of the company in August. Khosrowshahi has been working to change Uber’s culture. After Uber was ousted from London, he emailed employees to share that “there is a high cost to a bad reputation.”
Following the announcement of the hacking cover-up, Khosrowshahi wrote in a blog post: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” In addition to the apology, Khosrowshahi offered free credit monitoring and theft protection to drivers and reached out to Matt Olsen, former general counsel of the National Security Agency and director of the National Counterterrorism Center, to strategize on more effective security measures.
Despite the change in tenor, Khosrowshahi still faces obstacles, as evidenced by the recent lawsuit filed in response to the hack. The complaint alleges that “Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The lawsuit aims to attain class action status to represent both the drivers and riders whose information was stolen.
Uber could also face issues with European regulators. The UK Information Commissioner’s Office announced it was working with the National Cyber Security Centre to assess the damage of the breach as it pertains to UK citizens. In the future, breaches of this nature could have serious implications for companies due to the passage of the General Data Protection Regulation (GDPR). The law goes into effect in May of 2018 and Uber appears to have already broken three provisions: not properly protecting the data, not telling regulators about the hack, and not informing its customers until one year later. Fines could be up to 4% of global annual revenue.
It remains to be seen how Uber and its new CEO will handle both the US lawsuit and regulators in Europe.
Uber Data Breach Lawsuit (PDF)