Following the news Uber suffered a major data breach, the firm has received a letter from US Senators asking some tough questions which might pile more misery on the under fire brand.

Jamie Davies

November 28, 2017

4 Min Read
US Senate starts asking questions Uber will not want to answer

Following the news Uber suffered a major data breach, the firm has received a letter from US Senators asking some tough questions which might pile more misery on the under fire brand.

In late 2016, Uber was the victim of a data breach which saw the personal information of 57 million customers and drivers fall into nefarious hands. If having inadequate security wasn’t enough of a PR headache, it now appears Uber tried to hush up the breach, paying the hackers $100,000 to delete the data. Now the Senators want to know why.

“Our goal is to understand what steps Uber has taken to investigate what occurred, restore and maintain the integrity of its systems, and identify and mitigate potential consumer harm and identity theft-related fraud against Federal programs,” the letter reads.

It is all very polite on the surface, but the underlying message to CEO Dara Khosrowshahi is more concerning. The Senators have read all the news about cover ups and hush money, and want to get to the bottom of one of the more open questions in the technology world today; how dodgy is Uber?

In some circumstances a letter from politicians is nothing really to worry about. You send one back, and suggest somewhere nice to go for lunch. That would usually keep a bureaucrat busy for a couple of weeks. But in this letter, signed by Senator’s John Thune (Chairman for the Committee of Commerce, Science and Transportation), Orrin Hatch (Chairman for the Committee of Finance), Jerry Moran (Chairman of the Subcommittee on Consumer Data Protection, Product Safety, Insurance and Data Security) and Bill Cassidy (Chairman for the Subcommittee of Social Security, Pensions and Family Policy), the questions are a bit more probing.

In the letter, there are eleven questions to be answered by Uber, which we have copied below, by 5.00pm December 11. The answers to these questions could let us know if and/or how dodgy operations are at one of the world’s most influential technology companies. Questions in full:

  1. On what date did Uber first learn that hackers accessed user data stored on a third-party cloud-based service?

  2. How many consumers does the incident affect, including riders and drivers? Please describe Uber’s efforts to identify and provide notice to the affected individuals

  3. With respect to the incident, what types of data does Uber believe to have been compromised? To what extent does the data include sensitive personal information?

  4. Did Uber authorize payments to outside parties in connection with the incident? If so, please provide additional details, including the amounts, dates, method of transfer, as well as the purpose of such payments, including whether the purpose of such payments was, even in part, to conceal the incident itself. Who authorized these payments?

  5. Which regulators has Uber notified about the incident? On what dates did these notifications occur?

  6. Beyond monitoring affected accounts, what steps has Uber taken to identify and mitigate potential consumer harm associated with this incident?

  7. What steps has Uber taken to ensure compliance with its obligations under the FTC order, such as its obligation to establish, implement, and maintain a comprehensive privacy program?

  8. Did Uber disclose the incident to the FTC during the agency’s investigation which led to the consent order? If so, when? If not, why not?

  9. What personnel actions has Uber taken in response to the incident? Please provide specific details

  10. Please provide a details timeline of event, including Uber’s initial discovery of the incident, forensic investigation and subsequent security efforts, notifications to law enforcement agencies and regulators, as well as notifications to affected customers

  11. Uber has maintained that the hackers did not download any social security numbers. Did the breach involve compromise of social security numbers in any way? Please provide a detailed description, including any related forensic analysis

As you can probably see, there are a few questions Uber will not necessarily want to answer. And they certainly won’t want these answers leaking into the public domain.

Overall this seems to be a PR disaster, built on top of another PR disaster. Executives at the firm must have known this breach and the hush money would come to light at some point, but perhaps this was a pragmatic decision. If you cast your mind back to the latter stages of 2016, or maybe early 2017 when Executives might have been considering going public, Uber was not going through the greatest of moments.

At the time, an ex-Uber employee came forward with claims the internet innovator was harbouring a horde of stalkers and security protocols which makes Yahoo look like Fort Knox. Ward Spangenberg said employees were using customer data to track celebrities, politicians and also personal connections. It is claimed all employees had access to this data, as opposed to a small, accountable security team.

Perhaps Uber wanted this news to die down before compounding the misery with another scandal. Then came months of Travis Kalanick news and his alleged wandering hands. Perhaps there is a queue of scandals which Uber is keeping secret. All Execs have to do is keep the cork in the bottle until the fire from the previous one cools down.

Who knows what is going to come next, but on December 11 the world might just find out if/or how dodgy operations are at Uber.

You May Also Like