Uber, one of the latest companies to suffer a data breach, is suffering backlash not just for the 57 million user accounts compromised following the breach, but the company’s failure to disclose the breach until more than one year after it occurred. The company is now facing scrutiny from Congress and potential legal repercussions.
The data breach occurred in October, 2016 when two hackers stole data from a third party server. The data included names, phone numbers and email addresses of 57 million riders and drivers, where driver’s license information was compromised for many Uber drivers as well.
The New York Times additionally reported that the hackers held Uber’s stolen data ransom for $100,000, and Uber subsequently tracked down the hackers to sign nondisclosure agreements after paying the bounty. Uber’s Chief Security Officer at the time arranged the meeting and deal with the hackers, with the New York Times relaying this from reports of current and former Uber employees who will remain anonymous.
The New York attorney general has since launched an investigation into Uber and the data breach along with a handful of other states, while the attorney general representing Chicago has filed a law suit on behalf of Cook county Illinois residents. There are also three law suits seeking class-action status.
By failing to notify users of the data breach, and potentially trying to cover it up, Uber has violated multiple state laws around data breach disclosure, including California. Additionally, Uber may have violated FTC requirements on destroying forensic evidence by requiring the hackers to destroy the compromised data. These and other potential reprecussions for Uber will shake out over the coming months, as Uber has also received letters from several U.S. Congressmen.
For more information: