Brief:
-
Uber, the ride-hailing app that works in 77 countries, faces class-action lawsuits and multiple investigations worldwide after revealing it paid hackers $100,000 to stay quiet about stealing the personal information of 57 million customers and drivers, the Washington Post reported. Hackers obtained the names, email addresses and phone numbers of millions of passengers, and the drivers’ license numbers of about 600,000 drivers.
-
CEO Dara Khosrowshahi learned of the breach, which Uber said happened in October 2016, about two weeks after he officially started the job on Sept. 5, The Wall Street Journal reported. He immediately ordered an investigation that he wanted completed before making a public statement.
-
Several states, the Federal Trade Commission and at least three European government agencies are seeking information on why Uber took more than a year to disclose the breach. Uber said it is cooperating with various government offices to discuss the matter.
Insight:
Uber’s latest revelation about a massive data breach that happened more than a year ago is a necessary step in setting a new course for the troubled ride-hailing pioneer. The company has taken steps to move past sexual harassment complaints and ongoing federal probes of possible bribery, theft of trade secrets and discriminatory pricing. The data breach is another mess for new CEO Data Khosrowshahi, who was hired to replace Uber’s beleaguered co-founder Travis Kalanick, to clean up.
Uber in August reached a settlement with the FTC over allegations that the company failed to live up to its promise to monitor how employees accessed data about customers and drivers. The FTC also claimed that Uber failed to improve the security for sensitive data — including names, driver's license numbers, bank account details and Social Security numbers — resulting in a 2014 data breach that affected more than 100,000 drivers. Uber agreed to settle those allegations by implementing a comprehensive privacy policy and undergoing privacy audits for 20 years.
Unfortunately, the company’s decision to cover up the breach by paying the hackers a ransom to destroy the data may be found to have violated laws in several states. Paying a ransom isn’t illegal, but some states require companies to publicize data breaches as a way of protecting consumers from the mishandling of their private information. Uber more likely faces a bigger threat from class-action lawsuits by consumers and drivers seeking damages. The company said financial information such as credit cards and Social Security numbers weren’t taken in the 2016 hack, and its own investigations haven’t found evidence that personal information was used for identity theft. In addition, Uber is offering free credit monitoring to people whose data were stolen. These actions may offer customers at least some assurance that the company is working to rebuild their trust.