Uber Blog Terms - Attivo Networks

Uber

Uber executive to testify before Senate on 2016 data breach

A top Uber executive will testify before the Senate next week on the company’s 2016 data breach, which exposed the data of 57 million users.

John Flynn, Uber’s chief information security officer, will appear before a Senate Commerce subcommittee on Tuesday. The hearing will focus on the breach and Uber’s reported payoff to the hacker responsible through its “bug bounty” program, which is meant to reward researchers for discovering vulnerabilities in the company’s infrastructures.

“We have worked closely with the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Innovation, & Data Security and look forward to participating in their hearing,” an Uber spokesman said in a statement.

In November of last year, Uber CEO Dara Khosrowshahi announced a breach had taken place before his arrival at the ride-hailing company as well as the number of users affected by it.

Uber’s 2016 data breach affected 380,000 in Singapore, biggest reported breach here

Personal information of 380,000 riders and drivers of ride-sharing app Uber in Singapore – including names, e-mail addresses, and mobile phone numbers – were exposed in the app’s data breach in 2016, making it the largest reported breach here to date.

Singapore’s privacy watchdog, the Personal Data Protection Commission (PDPC), said it is investigating if the company had breached any laws.

“Uber’s breach has affected a significant number of users in Singapore. The PDPC takes a serious view of data breaches and is investigating whether Uber has breached the data protection provisions of the PDPA (Personal Data Protection Act),” said a PDPC spokesman.

“We expect Uber’s full cooperation in the course of the investigation.”

The Land Transport Authority (LTA) similarly said in a statement that it “expects Uber to be fully transparent and cooperate with local regulators to disclose the extent of those (drivers and customers) that have been affected in Singapore”.

Uber Paid 20-Year-Old Florida Man $100,000 To Keep Quiet About Data Breach

A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Uber’s Data Breach Cover-Up Strategy May Be More Common Than You’d Think

When embattled ride sharing company Uber finally disclosed last week that a 2016 data breach had compromised the names, email addresses and phone numbers of 57 million users and driver’s license numbers of 600,000 drivers, and that the company had attempted to hide the information from users and regulators, most consumers were shocked and horrified.

Corporate cybersecurity experts, however, were unsurprised. Apparently, data breach cover-ups happen all the time.

“I don’t know if it’s a well-kept secret or they don’t want to admit to, it but the painful reality is that there are so many financial drivers motivating companies not to report breaches that it’s difficult to motivate them to be ethical,” Gregg Garrett, head of international cybersecurity for BDO Consulting, told LTN.

Although there are data breach notification laws on the books in 48 U.S. states requiring companies to inform consumers about potential exposures of their personal information, companies don’t exactly have great incentives to disclose a potential data breach. Disclosing data breaches tends to invite scrutiny from investors, open the door to litigation, and may not play well for a company’s reputation.

Senators demand answers about Uber data breach

Several US senators are troubled with Uber’s belated reporting of a 2016 data breach and demanding answers.

On Monday, four Republican senators sent a letter to the ride-hailing company, asking for additional details surrounding the breach, which affected 57 million users, but was only disclosed last week.

In the letter, the senators—John Thune, Orrin Hatch, Jerry Moran and Bill Cassidy—called the breach a “serious incident that merits further scrutiny.”

Also today, Democratic Sen. Mark Warner of Virginia sent a separate letter to Uber, which said he had “grave concerns” with how the company handled the breach.

Both letters pointed to media reports, which claim Uber paid the hackers behind the breach $100,000 to stay quiet and delete the stolen data. The ride-hailing company then remained silent on the matter for a whole year until its new CEO, Dara Khosrowshahi, learned of the incident, and decided to make it public.

“Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations,” Warner said.

Most states have laws that demand businesses disclose data breaches when they affect local residents. Why Uber decided to stay mum on the incident isn’t clear, but its previous CEO, Travis Kalanick, was notorious for trying to buck the rules.

Scroll to Top