X

Hiding a hack? Uber promised not to do things like that

In a settlement with the FTC, the company said it wouldn't mislead users about the security of their data.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
People walk down Market Street past sign with logo at the headquarters of ride-sharing technology company Uber in the South of Market (SoMa) neighborhood of San Francisco, California. Uber acknowledges it had a legal obligation to disclose a hack affecting 57 million users. The concealed hack puts them under a microscope with state and federal regulators.

Uber acknowledges it had a legal obligation to disclose a hack affecting 57 million users. The concealed hack puts them under a microscope with state and federal regulators.

Getty Images

Uber is in hot water for waiting a whole year to announce a data breach of information on 57 million users, and not just with angry riders and drivers. The company is now under a microscope with regulators, who want to enforce rules that required the company to come clean sooner. 

The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says.

"It appears they violated the FTC consent order before the ink was dry on it," said Ed McAndrew, a former federal cybercrimes prosecutor who know advises companies on how to comply with the law at the Ballard Spahr firm.

In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach. 

Watch this: Uber admits major data breach... 1 year late

"We've been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," an Uber spokesman said in an emailed statement. 

The increased scrutiny could add to Uber's growing legal problems, which most recently include a volley of lawsuits alleging the company doesn't do enough to protect riders from sexual assault and harassment. This latest scandal adds to criticisms of Uber's approach to privacy -- for its handling of previous data breaches, as well as its use of a special "God view" in which Uber employees could see where any user was while using the service. In this case, it appears the company's leadership was promising regulators it would do better at protecting your data one minute and concealing a hack of user data the next.

Stolen data often makes its way onto black markets on the internet, which are hosted on hidden websites that form a shadowy network called the Dark Web.

The breach happened in October 2016, Uber said Tuesday. Hackers accessed names and email addresses, as well as the drivers' license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber said in a statement Tuesday it first became aware of the hack in November 2016. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.

Around the same time the breach happened in October 2016, Uber was negotiating a settlement with the FTC that stemmed in part from a previous data breach. The first provision in the settlement, which Uber officially agreed to in August, said the company "must not misrepresent in any manner, expressly or by implication... the extent to which Respondent protects the privacy, confidentiality, security, or integrity of any Personal Information."

That's why hiding this breach could be a big problem for Uber, McAndrew said. "At the very time they were negotiating a consent order with the FTC, they were knowingly not disclosing it." The terms of the settlement also require Uber to swear under penalty of perjury on an annual basis that it's in compliance with the settlement order. That anniversary hasn't come up yet.

The FTC declined to comment specifically on whether it would investigate the incident, but a spokesman said in a statement, "We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach. We are closely evaluating the serious issues raised."

The hack is also reportedly being investigated by regulators in the UK, Australia and the Philippines. The UK Information Commissioner's Office, the country's data protection watchdog, said Wednesday that the concealed breach "raises huge concerns around [Uber's] data protection policies and ethics." The company recently lost its license to operate in London, and its appeal of that decision is pending.

Uber said it paid the hackers $100,000 to delete the data, and they believe no fraud has stemmed from the breach. McAndrew said that wasn't Uber paying to cover up the hack -- it was extortion on the part of the hackers. Hacker are increasingly demanding money to either unscramble the victim's encrypted data, something experts call ransomware, or to delete the data instead of sharing it with other criminals, he said.

McAndrew said companies like Uber would do well to go to the police if they're being extorted by hackers, rather than just paying attackers and keeping quiet about the hack. That's especially the case in situations like the most recent Uber hack, because Uber has said it identified some of the hackers. 

"When you have that type of information, you definitely should notify law enforcement," McAndrew said.

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.

The Smartest StuffInnovators are thinking up new ways to make you, and the things around you, smarter.