Uber CEO Dara Khosrowshahi was reportedly aware of a hack that took place at the company last year for months before revealing the extent of the data breach to the public.
The Wall Street Journal reports that Uber CEO Dara Khosrowshahi had knowledge of a data breach that took place at Uber in October 2016 since he was appointed to the role of CEO in September 2017, but the company did not make the hack known to the public until recently. The data hack saw the personal data of 57 million Uber drivers and riders stolen and was reportedly covered up by Uber’s former chief security officer Joe Sullivan, who paid the hackers $100,000 to delete the stolen data and stay quiet about the entire incident.
The investigation into the hack was allegedly ordered by CEO Khosrowshahi on September 5th, shortly after he began acting as CEO, but the details of the hack were not revealed to the public until earlier this week. Uber did, however, turn over details of the hack to SoftBank Group Corp., who is currently considering a large investment in Uber, three weeks ago.
Bo Holland, the chief executive of AllClear ID Inc., a company that helps large companies deal with data breaches, commented on Uber’s hack and their failure to immediately alert their users saying, “In the U.S. today, most laws allow six to eight weeks for companies to notify regulators and consumers. Equifax met the letter of the law, no one was happy with their response, and the executives and shareholders suffered the consequences.”
Due to the lack of federal law surrounding data breach notification, Uber is subject to a number laws across 48 states, some of which state that users must be notified immediately of a data breach of their personal information. Deirdre Mulligan, a UC Berkeley professor who advised lawmakers during the development of California’s breach-notification law stated that, “The provisions that allow for delay are not about getting your new management in order.”
Khosrowshahi discussed the hack in a recent blog post stating, “You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.” Khosrowshahi then outlined steps taken by the company following the discovery of the attack. The steps taken by Khosrowshahi were as follows:
- I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
- We are individually notifying the drivers whose driver’s license numbers were downloaded.
- We are providing these drivers with free credit monitoring and identity theft protection.
- We are notifying regulatory authorities.
- While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
In a statement on Wednesday, Uber announced that they had previously discussed the data breach with SoftBank saying, “We informed SoftBank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete. We also made clear that our forensic investigation was ongoing. However, once our internal inquiry concluded and we had a more complete understanding of the facts, we disclosed to regulators and our customers in a very public way.”
Uber has been working to tie up an investment from SoftBank for some time that could be worth as much as $10 billion, one billion of which would go directly into Uber’s savings. The process has been slowed however as SoftBank negotiates the price at which they’re willing to buy billions in stock from shareholders. People familiar with the situation have stated that SoftBank is expected to settle on a fixed price for the offer in the coming weeks.