The problems for ride-sharing company Uber Technologies Inc. continue after it was revealed that it disclosed its massive data breach to prospective investor SoftBank Group Corp. before revealing the details to the public.
Robert Fenner of Bloomberg News had the story:
The disclosure came as SoftBank conducts due diligence on the ride-hailing company ahead of a potential investment, Uber said in an emailed statement. SoftBank, which may put as much as $10 billion into the company, declined to comment.
Uber faces investigation by regulators after disclosing earlier this week that it hid for more than a year the hacking of a vast amount of personal data from 57 million drivers and customers. The company ousted its chief security officer and one of his deputies for their roles in hiding the hacking, which included a $100,000 payment to the attackers.
“We informed SoftBank that we were investigating a data breach, consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete,” Uber said in the statement. “We also made clear that our forensic investigation was ongoing.”
Julia Fioretti of Reuters reported that European privacy regulators will discuss the hack next week:
The chair of the group of European data protection authorities – known as the Article 29 Working Party – said on Thursday the data breach would be discussed at its meeting on Nov. 28 and 29.
While EU data protection authorities cannot impose joint sanctions, they can set up task-forces to coordinate national investigations.
When a new EU data protection law comes into force next May, regulators will have the power to impose much higher fines – up to 4 percent of global turnover – and coordinate more closely.
Uber paid hackers $100,000 to keep secret the massive breach.
The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers, Khosrowshahi said. Uber declined to say what other countries may be affected.
Mallory Locklear of Engadget reports that the Federal Trade Commission is also looking into the hack:
But here’s the thing, the FTC just wrapped up an investigation into the company over issues with how it managed its security. The agency determined that Uber didn’t adequately protect data and misrepresented how secure that data actually was. Part of Uber’s settlement with the FTC over that investigation included an agreement to undergo third-party privacy audits every two years for the next two decades and a promise that it would no longer misrepresent how it monitors, protects and secures consumers’ personal information. At the time that settlement was announced, Uber said in a statement, “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. […] This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”
That settlement was announced in August of this year. “It appears they violated the FTC consent order before the ink was dry on it,” former cybercrime prosecutor Ed McAndrew told CNET. “At the very time they were negotiating a consent order with the FTC, they were knowingly not disclosing it.”
Along with the FTC, Uber could also be investigated by several states, laws from which it violated when it didn’t disclose the breach to its customers. Reuters reports that at least six states’ attorneys general offices have said they’ll be looking into the issue as will authorities in the UK, Australia and the Philippines. An Uber spokesperson told CNET, “We’ve been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward.”
