Uber Ignored Legal Requirements, Paid Hush Money to Hackers

NEWS ANALYSIS: The breach itself was bad enough, but it’s been compounded by the fact that Uber attempted to hide the event from customers and regulators. In fact, Reuters is reporting the company paid the hackers $100,000 in hush money to erase the data they took.


Once again, Uber has a data breach. This time the ride-hailing service had approximately 57 million accounts compromised, which included personal information from customers, as well as more detailed information from about 600,000 of the company’s drivers. The data came from an Amazon Web Services cloud account used by the company. The hackers apparently gained access because Uber staff failed to secure the login credentials for the cloud service.

The breach itself was bad enough, but it’s been compounded by the fact that Uber attempted to hide the event from customers and regulators. In fact, Reuters is reporting that the company paid the hackers $100,000 in hush money to erase the data they took, and to keep the fact that the breach happened confidential.

Former CEO Knew About Breach a Year Ago

Former CEO Travis Kalanick was made aware of the breach in November 2016, a month after it took place, however there’s no evidence that Kalanick passed the information along to the new CEO, Dara Khosrowshahi.

The two Uber employees responsible for the mishandling of the incident, including security chief Joe Sullivan, have been fired. According to a blog entry written by Khosrowshahi, the company is now working to notify the drivers who had their driver’s license information taken and said the company will offer free credit monitoring. He also said that Uber is notifying regulators.

The 2016 data breach happened just as Uber was recovering from a similar data breach that happened in 2014, and which was part of the reason why the London transport authorities declined to renew Uber’s license to operate in the city. Uber is currently appealing the license issue with courts in the UK.

What Uber is not doing is to notify customers who were affected. While the company has posted a brief notice on its customer support site that contains little beyond telling customers not to worry, there has so far been no sign of any effort beyond that. The more detailed blog entry doesn’t really address the issue, either.

New CEO Using New Advisors

One thing that Khosrowshahi has done is to ask for qualified help in the form of Matt Olsen, president of IronNet Cybersecurity and the former general counsel to the National Security Agency. Olsen is a highly respected authority in security practices. Assuming that Khosrowshahi and the staff at Uber take his advice and implement his changes, Uber has a chance of becoming a secure operation.

Unfortunately, Uber has a long track record of asking for help, and then not taking it. Until recently, the company’s stated goals of a workplace free of gender discrimination have been lip service, at best. Even after a blog entry by one of Uber’s female engineers went viral and effectively blew up the executive suite, the company has been slow to improve.

Likewise, the company has shown through its actions that it would rather cut corners than follow the rules. The infamous “Greyball” plot to deny information to regulators was just one of the company’s convoluted attempts to avoid following the rules that the rest of the business world has to follow.

While it seems that Khosrowshahi has every intent to clean up Uber’s act, the corporate culture does not appear to have the same intent. This is one area in which the new CEO’s efforts to ease the transition by changing as little as possible may be backfiring. As long as Uber retains the executives who were part of the problem in the first place, there seems little likelihood that Uber will learn to act like a responsible organization.

Will Uber Get Around to Obeying the Rules?

And the problem can only get more serious. Two days ago Uber and Volvo announced a major effort to launch autonomous vehicles for use in its operations. While Volvo is making the cars and supplying them in a form that the company calls “compatible” for self-driving use, it’s Uber that’s writing the software.

The idea that someone with Uber’s practices of skirting the rules may be involved with its self-driving car effort should be enough to give one pause. How many safety rules will Uber bend to get their cars on the market first? Is Uber so concerned about finding a way around its troublesome drivers that it will gloss over safety concerns? While Uber’s executives have said that customer safety is its highest priority, it hasn’t shown this to be the case in the past.

Remember, it’s Uber that tried to find a way to excuse sexual assaults on its passengers in India and elsewhere, even to the point of passing around medical records of one of the victims so she could be discredited. And it’s Uber that so glossed over its background checks that reporting has revealed that felons are working as drivers, and so are people who have had their licenses revoked or suspended.

This is the other reason why Uber lost its license to operate in London, and these are reasons why Uber is having trouble elsewhere. But instead of trying to fix the problem, Uber continues to find ways to avoid following the rules.

While Uber has been a ground-breaking company in many ways, it seems to be doing so at the expense of its customers and the public. This doesn’t argue for a long-term period of success. 

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...