This may turn out to be a lesson in Internet law for everyone.
In October 2016, hackers breached Uber’s systems and made off with personal information for 57 million customers. They also made off with other information for 7 million Uber drivers and 600,000 drivers license numbers.
Uber says that no socials or credit cards or trip information was taken.
At the time, Uber was fighting with U.S. regulators regarding privacy violations. Someone inside the organization decided that, given what was going on, maybe burying this breach might be a better idea than fessing up.
So Uber paid the hackers $100,000 to “delete” the data. I am sure that they did that because they are people of honor. Then they buried the incident.
Fast forward a year and Uber has a new CEO after a whole bunch of bad press. The CEO hires an outside law firm to help clean up the old west and what do they discover but an old breach, a $100,000 ransom and an oopsie, we forgot to report this.
Paying the ransom is probably not illegal.
Not telling shareholders that they were breached, well that is less clear. I guess they could say that a breach of 57 million customers is not material. Unless, that is, word about it gets out and they get sued – which is exactly what is happening now.
Not telling regulators about that – pretty clear that is illegal.
And, given that Uber operates in most states in the U.S. and there are different privacy laws in each of the states, they likely broke the law in a whole bunch of states.
IF, and this is not clear, there was information on residents of foreign countries, they likely broke foreign laws as well.
Here is the lesson in Internet law.
Since the breach was disclosed, the New York AG has said he is investigating and a lawsuit has been filed seeking class action status.
Uber’s co-founder learned of the breach in November 2016, right after Uber had settled a privacy lawsuit with the New York AG and was negotiating with the FTC over the handling of consumer data. Apparently he decided not to tell the AG or the FTC.
The hack was pretty simple. The hackers found a private Github repository that apparently was not adequately (or at all) protected and found Amazon web services credentials in that repository. They logged on to Amazon, found the data and attempted to extort Uber.
Uber does not have a reputation as a model citizen; in fact they have been involved in at least five criminal probes over bribes, illegal software, questionable pricing schemes and other issues. This fits right in there.
Uber has brought in some high priced talent to help sort out the mess and rehabilitate their image. Former GC of the NSA (not sure they sould be a role model for Uber), for example. Based on some questionable NSA activities in the past, he may fit right into Uber’s culture.
What we don’t know at this point is what the various state regulators are going to do about this. I assume that regulators COULD revoke Uber’s license to operate in their state, but I doubt that will happen.
Could the various states file criminal and/or civil charges – that I suspect is much more likely, especially since they knowingly covered up the breach?
I am sure that it will be at least a few months before we have any idea on the scope of the fallout. Given Uber’s past and very rocky relationship with regulators, those same regulators may decide that it is payback time.
Information for this post came from Bloomberg.