Governments begin inquiries into Uber hack cover-up

Britain, US, Australia, Philippines to inquire into company’s response to data breach

Uber said it has been in touch with the US Federal Trade Commission  and several states to discuss a hack last year that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm. File photograph:   Eduardo Munoz/Reuters

Uber said it has been in touch with the US Federal Trade Commission and several states to discuss a hack last year that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm. File photograph: Eduardo Munoz/Reuters

 

Governments around the globe launched investigations into Uber Technologies Inc after the company disclosed it had covered up a breach that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.

Authorities in Britain and the United States, two top Uber markets, as well as Australia and the Philippines said today they would investigate the company’s response to the data breach.

Some US politicians called for Congressional hearings and implored the Federal Trade Commission (FTC) to look into the matter.

Uber said it has been in touch with the US Federal Trade Commission (FTC) and several states to discuss a hack last year that exposed data on millions of customers and drivers, the latest scandal to rock the ride-hailing firm.

“We’ve been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to co-operate with them going forward,” an Uber spokesperson said in a emailed statement.

Uber said on Tuesday that in late 2016 it had paid hackers $100,000 to destroy data on more than 57 million customers and driver stolen from the company and decided not to report the matter to victims or authorities.

The company’s chief executive had acknowledged in a Tuesday blog that the company had erred in handling the breach.

Aggressively expand

The money-losing ride-hailing service is known for the tough stance it has taken against regulators as it seeks to aggressively expand and compete with existing taxi services.

Attorneys general in at least four US states, Connecticut, Illinois, Massachusetts and New York, said they had launched investigations into the breach.

“We have serious concerns about the reported conduct,” Massachusetts attorney general Maura Healey said in a statement.

US senator Richard Blumenthal took to Twitter to call for the FTC to investigate Uber, describing the company’s behaviour as “inexplicable” and asking for the FTC to impose “significant penalties”.

The FTC, which investigates companies accused of being sloppy with consumer data, said it was looking into the matter, but declined to say if it had launched a formal investigation.

“We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised,” an FTC spokesman said.

US Representative Frank Pallone called for a Congressional hearing.

“If Uber did indeed secretly pay off the hackers to keep the breach quiet, then a possible cover-up of the incident is problematic and must be investigated,” Pallone said in a statement.

Britain’s data protection authority said it would work with agencies in the UK and overseas to investigate the matter.

“If UK citizens were affected, then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” James Dipple-Johnstone, deputy commissioner of the UK Information Commissioner’s Office, said in a statement.

British law carries a maximum penalty of £500,000 for failing to notify users and regulators when data breaches occur.

“Deliberately concealing breaches from regulators and citizens could attract higher fines for companies,” Mr Dipple-Johnstone said.

Blog post

The stolen information included names, email addresses and phone numbers of 57 million Uber users around the world, and the names and licence numbers of 600,000 US drivers, according to a blog post by Uber’s new chief executive, Dara Khosrowshahi, who replaced co-founder Travis Kalanick as chief executive in August.

Uber said it fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, this week over their role in the incident. Mr Sullivan, formerly the top security official at Facebook Inc and a federal prosecutor, served as both security chief and deputy general counsel for Uber.

Mr Sullivan declined to comment. Mr Clark could not be reached for comment.

Mr Kalanick, through a spokesman, declined to comment. The former chief executive remains on the Uber board of directors, and Mr Khosrowshahi has said he consults with him regularly.

A stream of executives has left Uber in recent months amid controversies involving sexual harassment, data privacy and business practices in Asia. The board removed Mr Kalanick as chief executive in June.

London’s transport regulator recently pulled Uber’s operating license, saying the company failed to deal with public safety and security issues. Uber is appealing the decision.

Seeking information

The agency said today it was seeking more information about the breach.

“We are pressing them for the full details of what has happened so that we can be satisfied that all the right protections are in place for the personal data of drivers and customers in London,” a Transport for London spokesman said.

Uber said earlier this month it had struck an agreement to allow Japan’s SoftBank Group to invest up to $10 billion, most of it by buying shares from existing investors. The final price has yet to be decided, and SoftBank could back out if not enough Uber investors are willing to sell at the right price. – Reuters