Uber Data Breach: Where do we go from here?

Written By Shelby Mann

Uber admitted to paying hackers $100,000 for a 2016 data breach last week. This comes on the heels of several other mishaps, including an FTC order requiring the company to permit to up to 20 years of privacy auditing, prolific workplace sexual harassment, and drivers with criminal records.

Background

On November 21, 2017, Uber CEO Mr. Dara Khosrowshahi announced the company became aware of a data breach in late 2016. Khosrowshahi said while there wasn’t any indication “trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded,” the two hackers did download files with information such as the names and driver’s license numbers of approximately 600,000 U.S. drivers, and personal information of 57 million Uber users. That personal information included names, email addresses, and phone numbers.

What Khosrowshahi did not include in the blog post was that the company paid the hackers $100,000 to keep the data breach secret and delete the stolen information. While the breach did not occur under Khosrowshahi’s leadership—Khosrowshahi replaced Uber co-founder Travis Kalanick as CEO in August 2017—Khosrowshahi reportedly learned of the breach in September 2017, just after he took over. Since discovering the breach, Uber’s chief security officer and a deputy were fired for the cover-up response to the hack.

Investigations

Uber announced the data breach a little over a week ago, but several parties are already launching investigations.

  1. On Monday, members of Congress asked the company several questions. Specifically, they asked why Uber didn’t inform customers sooner, whether the company spoke with law enforcement agencies about the matter, and what Uber is doing to help drivers whose sensitive data was stolen. Four Republican senators expressed concerns over Uber’s prior privacy issues, stating this is a serious incident that “merits further scrutiny.” They also asked Uber to provide a detailed timeline to Congress, including the “initial discovery of the incident, forensic investigation and subsequent security efforts, notifications to law enforcement agencies and regulators, as well as any notification to affected customers[.]”
  2. The Federal Trade Commission said it is also “closely evaluating the serious issues” surrounding Uber’s cover-up of the data breach. This comes after the FTC just penalized the company for misleading customers on privacy and security practices.
  3. Five states have separately announced plans to investigate. The attorneys general of Connecticut, Illinois, Massachusetts, Missouri, and New York, have announced they are examining the incident. The City of Chicago, in conjunction with the Cook County state’s attorney, is also suing Uber over the data breach, separately from the State of Illinois.
  4. Data privacy regulators in other countries, such as Italy, Mexico, and the UK, are also investigating. While the exact number of affected international users isn’t known, Uber did confirm the breach included international users.

Additional Lawsuits

Individuals are also suing the ride-hailing company. There are currently three lawsuits in California and Oregon, wherein the plaintiffs allege Uber was negligent in its failure to protect consumer data. The suits further claim having data compromised without a timely notice to harmed consumers. Each of these suits are suing Uber as part of a class action.

Legality of Uber’s Actions

Forty-eight states have laws requiring companies promptly notify consumers when their data is stolen. Alabama and South Dakota are the two who do not. Nevertheless, in many of those 48 states, theft of the Uber drivers’ license numbers would have required prompt public disclosure.

Further, many consumer protection laws in other countries also require disclosure of data breaches. Whether Uber expressly violated these laws will come to fruition following investigations being conducted around the world.

Uber has a couple of tools to use in the face of impending litigation and class-action suit. Arbitration clauses in contracts with drivers and passengers will be an obstacle for those seeking damages. In signing up for the app, users agree to waive their right to go to court. However, in citing the arbitration clause, state and federal regulators may be more likely to sue.

The success of class-action data breach litigation also turns on the type of information stolen. Uber claims only limited information – names, email addresses, cellphone numbers – was stolen, and outside forensic experts saw no indications of stolen sensitive personal information like credit card numbers, bank account information, or Social Security numbers. Further, there is not yet any evidence the stolen information was misused. Consequently, Uber may have a good defense in arguing that consumers cannot show the breach caused actual–or even likely–harm.

More information continues to roll out on a daily basis. It remains to be seen how this event, and other company data breaches like it, will shape the future of privacy laws and policies. For now, Uber users are encouraged to change their passwords, check their accounts for fraudulent activity, and set up credit monitoring just in case.

••••••••••••••••••••••••••••••••••••••••••••••••••••

Sources Cited

Letter from Sen. John Thune et al., to Dara Khosrowshahi, CEO, Uber (Nov. 27, 2017).

Letter from Sen. Mark Warner to Dara Khosrowshahi, CEO, Uber (Nov. 27, 2017).

Julia Apostle, The Uber Data Breach Has Implications for Us All, Financial Times (Nov. 27, 2017).

Chris Morris, Uber Hack: Here’s How to Find Out If You’ve Been Affected, Fortune (Nov. 22, 2017).

Andrew Blake, Uber Under Investigation in Several States Over Newly Disclosed Data Breach, The Washington Times (Nov. 23, 2017).

Jim Finkle & Heather Somerville, Regulators to Press Uber After it Admits Covering Up Data Breach, Reuters (Nov. 21, 2017, 5:37 AM).

Dara Khosrowshahi, 2016 Data Security Incident, Uber (Nov. 21, 2017).

Tom Krisher & Barbara Ortutay, Will Uber’s Data Breach Cover-up be the Final Straw for Its Most Loyal Users?, Time (Nov. 23, 2017).

Natasha Lomas, Uber Data Breach “Raises Huge Concerns,” Says UK Watchdog, TechCrunch (Nov. 22, 2017), https://techcrunch.com/2017/11/22/uber-data-breach-raises-huge-concerns-says-uk-data-watchdog/.

Natasha Lomas, Uber Agrees to 20 Years of Privacy Audits to Settle FTC Data Mishandling Probe, TechCrunch (Aug. 15, 2017).

Julia Love, Mexican Authorities Seek Information from Uber About Data Breach, Reuters (Nov. 26, 2017, 3:34 PM).

Tony Romm, Uber is Going to Have to Explain to Congress Why it Hid the 2016 Data Breach that Affected 57 Million Users, Recode (Nov. 27, 2017, 3:29 PM).

Hamza Shaban, Uber is Sued Over Massive Data Breach After Paying Hackers to Keep Quiet, The Washington Post (Nov. 24, 2017).