Uber Breach Response Draws Bipartisan Hill Concern

Hacker payoff, delayed notice, draws letters from both Republicans and Democrats
Author:
Publish date:
uber-16x9.jpg

Uber's revelation about a data breach has drawn plenty of attention in Washington from legislators returning from their holiday breaks, and they weren't sending any thanks the company's way.

The chairman of the Senate Commerce Committee, John Thune (R-S.D.), joined by three other Republican senators, wrote Uber CEO Dara Khosrowshahi after news outlets reported that Uber had paid hackers $100,000 to delete information they had stolen from the company, said to be personal information on some 600,000 drivers and 57 million users, for which it paid the money to have destroyed last year, but did not tell users or regulators about.

Uber reached a consent decree with the Federal Trade Commission last August over privacy and data security practices, which the senators are concerned it may have breached, at least in spirit.

Related: Uber Settles With FTC Over Data Privacy Issues

The legislators have lots of questions they are looking for answers to, including when did Uber first know it had been hacked, when were regulators notified of the breach, and what it has done to mitigate the harm.

In his own letter, Sen. Mark Warner (D-Va.), ranking member of the Senate Banking Subcommittee on Securities, Insurance and Investment, also had a a bunch of questions about how Uber handled both the data and the breach. Why it revealed the breach and "cover up" to prospective investors (as the SEC requires), but not to users or authorities; why it apparently paid the hackers as a way to "to prevent the public or authorities from learning of the breach,"--thus the "cover up" reference--and why, if they had tracked the hackers down, paid them, and even pushed them to sign nondisclosure agreements, Uber did not hand that info over to law enforcement to help catch them.

The Republicans also cited the FTC settlement, asking how it is complying with those obligations, including "to establish, implement, and maintain a comprehensive privacy program?"

Related