When Uber was hacked in 2016, it decided that instead of informing its clients or regulators (so that we could decide how best to protect ourselves), it would pay off the hackers and trust them to delete the data and apparently pray that nobody would notice.
About a year later, it finally admitted to the breach. Current Uber CEO Dara Khosrowshahi, who replaced former CEO Travis Kalanick facing mounting allegations of sexual harassment, claimed to have only recently been made aware of the breach.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said in the statement.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” he said, choosing not elaborate on just how the hackers proved they had destroyed the data.
Since the disclosure, one customer has already filed a lawsuit against the company and is seeking class-action status. A $10 billion deal with SoftBank could be affected. Governments from the US, UK, Australia and the Philippines are launching investigations, with state attorneys general in New York, Illinois, Connecticut and Massachusetts launching investigations. 48 states in the US have laws that protect consumers by requiring companies to notify them of security breaches.
According to Gus Hurwitz, co-director of the University of Nebraska College of Law’s Space, Cyber and Telecom Law Program, “Failure to notify can subject Uber to substantial monetary damages, especially if it was intentional. Generally, it’s a fine per record. You can see how those numbers get very large very quickly.”
It seems Uber’s cash burn strategy might run out of fuel sooner than expected — unless its $1 billion investment in automated vehicles, getting rid of those pesky drivers who got them this far in the first place, pays off.