Uber revealed last Tuesday that it paid a $100,000 ransom to hackers in an attempt to cover up a data breach that impacted 57 million accounts in October last year. Uber said they had identified the hackers and ensured they had destroyed the stolen data.
The names, emails, and phone numbers of millions of customers and drivers, and the licence plates of 600,000 drivers were taken. Financial information such as credit cards and social security number were not accessed. Uber is offering free credit monitoring for drivers, and fraud monitoring for those customers affected.
Former CEO Mr Kalanick discovered the breach in November 2016, a month after it happened. The company took immediate steps to secure the data, shutting down unauthorised access and strengthening its security controls. It did not, however, report the breaches to the authorities. After Mr Khosrowshahi, newly appointed CEO, learned of the cover-up he ordered an investigation. Chief Security Officer Joe Sullivan and Craig Clark, the deputy, have been fired for their part in the cover-up. Uber has hired cyber security expert and former general counsel of the National Security Agency, Matt Olsen, to advise the company.
Uber disclosed the breach ahead of a tender offer from SoftBank as it could influence the decision of investors. Mr Khosrowshahi has spent weeks negotiating with SoftBank in an investment deal upward of $10 billion. It is unclear whether SoftBank may use this disclosure in negotiations.
The scale of the breach, though not as extreme as the recent Yahoo and Equifax disclosures, raises questions as to who else knew about the cover up, and who else was involved. A spokesperson for Uber declined to reveal who authorised the $100,000 ransom payment.
This adds to the string of scandals and legal troubles Uber faces. A prominent revelation in March 2017 was that Uber had secretly designed and used software called ‘Greyball’ to evade the sting operation of city officials who were attempting to catch Uber drivers that violated local regulations. Bloomberg reported this most recent data breach cover-up is an additional challenge for Mr Khosrowshah, who has been trying to bring stability to the firm in his first three months of the role. Mr Khosrowshah has inherited multiple federal investigations into the company’s programmes aimed at regulators and competition, in addition to violations of the Foreign Corrupt Practices Act. Additionally, Uber is currently in a heated legal dispute with Alphabet (Google’s parent company) who accuse Uber of stealing trade secrets on self-driving cars. Uber denies the allegations. Uber is also still recovering from a legal dispute with a female engineer over the neglect of complaints of harassment and sexism towards her and other women.
Currently valued at $68 billion, the company has developed a reputation for pushing the limits of the law in their aim of being the market leader in the ride-hailing market.