Published: Sun, November 26, 2017
Research | By Jennifer Evans

Uber paid hackers to keep data breach quiet

Uber paid hackers to keep data breach quiet

The stolen data included names, email addresses and phone numbers of 50 million Uber customers as well as the personal information on seven million Uber drivers, including around 600,000 driver's license plates.

Uber is facing investigation after revealing that it suffered a massive data breach affecting 57 million people - but kept the details quiet for more than a year. CBS News financial contributor Mellody Hobson joins "CBS This Morning" from San Francisco to discuss to impact of the latest revelations.

In a statement released by Uber, Khosrowshahi apologized for the bad behavior.

'It's always the company's responsibility to identify when United Kingdom citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.

Uber drivers can find out if their data was stolen on this link.

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.

Uber claims that no social security numbers, credit card information, trip location details or other were taken during the attack.

The FTC consent order settling the 2014 and 2015 complaints prohibited Uber from misrepresenting how it protects the privacy, confidentiality, security, or integrity of any personal information it handles and stores.

Bo Holland, the chief executive of AllClear ID Inc., a company that helps large companies deal with data breaches, commented on Uber's hack and their failure to immediately alert their users saying, "In the USA today, most laws allow six to eight weeks for companies to notify regulators and consumers". And violations of FTC consent orders can result in civil penalties being issued.

Khosrowshahi discussed the hack in a recent blog post stating, "You may be asking why we are just talking about this now, a year later".

In addition, while the USA does not now have a federal law requiring companies to inform the public about data breaches, the vast majority of states have enacted breach notification statutes of their own - which are typically a lot stricter than a full year's time for disclosure.

He added: 'Deliberately concealing breaches from regulators and citizens could attract higher fines for companies'.

The data breach and attempted cover-up occurred while Uber was already under investigation by the Federal Trade Commission, which settled separate allegations with the company in August.

And while that law has not come in to force, expectations around breach disclosures are being reset to meet the new standard across the EU.

Like this: