Uber had admitted that they had “no justification” for the coverup of a data breach which left the personal information of 57 million users vulnerable.
Ars Technica reports that Uber’s top security official admitted during testimony at Capitol Hill on Tuesday that the company had “no justification” for their coverup of a massive data breach in 2016. Uber’s chief information security officer, John Flynn, told a Senate committee that “it was wrong not to disclose the breach earlier.” Flynn further stated that “The company is taking steps to ensure that an incident like this does not happen again,” and that they are “working to make transparency and honesty core values of our company.”
Flynn appeared before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security alongside representatives from other security firms. Chairman Jerry Moran, a Republican senator from Kansas, said at the start of the hearing, “The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable.”
In 2016, Uber fell victim to a cyberattack from a group of hackers that saw the data of 57 million Uber users and drivers stolen. The company reportedly kept this attack hidden from the public for over a year, leading to the firing of chief security officer Joe Sullivan this week along with one of his deputies. The stolen data, dating back to October 2016, contains the names, email addresses, and phone numbers of 50 million Uber riders worldwide.
The personal details of approximately 7 million drivers were also accessed by hackers, including 600,000 U.S. drivers license numbers. Social security numbers and trip location details were not among the data stolen. Uber has now acknowledged that they had a legal obligation to report the hack to the drivers and customers affected, as well as regulators, but instead paid the hackers $100,000 to delete the stolen user information and stay quiet about the hack. Dara Khosrowshahi, who replaced Travis Kalanick as CEO of Uber in September, said in a statement, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business.”