Uber CISO: There was no justification for hiding data breach

Senators slam taxi firm for cover-up of hack affecting 57 million people

Uber's CISO yesterday admitted that there was "no justification" for covering up a huge data breach affecting millions of customers and drivers.

The breach, which was first reported in November last year, exposed the personal information of 57 million users, including 2.7 million in the UK, as well as the license numbers of roughly 600,000 drivers.

Uber's John Flynn told US lawmakers at a Senate hearing yesterday that the company made an error in not disclosing the intrusion to the authorities and to its customers, saying: "We made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement."

Rather than report the breach, Uber paid one of the two hackers responsible $100,000 to keep the breach under wraps and to not leak the stolen data.

Senators also noted that while Uber was covering this breach up, it was in the midst of negotiations with the Federal Trade Commission over a settlement for an earlier data breach.

The money was delivered through a bug bounty programme - a framework usually used to reward ethical hackers for reporting flaws to companies rather than exploiting them. Flynn acknowledged in his testimony that this use of the bug bounty programme was 'inappropriate'.

"We recognise that the bug bounty programme is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he said. "The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed."

Legislators slammed Uber over its conduct, calling its actions "morally wrong and legally reprehensible".

"There ought to be no question here that Uber's payment of this blackmail without notifying consumers who were greatly at risk was morally wrong and legally reprehensible and violated not only the law but the norm of what should be expected," said Democratic senator Richard Blumenthal.

"The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable," added Republican and Senate panel chairman senator Jerry Moran.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

US charges six Russians behind NotPetya and Olympics hacks
Security

US charges six Russians behind NotPetya and Olympics hacks

20 Oct 2020
Microsoft becomes the most-spoofed brand for phishing attacks
Security

Microsoft becomes the most-spoofed brand for phishing attacks

20 Oct 2020
Managing employee security risks during lockdown
Security

Managing employee security risks during lockdown

20 Oct 2020
iPhone 12 poses potential security risk for WhatsApp users
Security

iPhone 12 poses potential security risk for WhatsApp users

19 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020