Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Senators at a Feb. 6 hearing prodded an Uber Technologies Inc. official over allegations that the ride-hailing giant concealed a 2016 data breach for nearly a year and paid off cybercriminals to delete the stolen data.
Sen. Richard Blumenthal (D-Conn.) said that Uber engaged in “a form of obstruction of justice.” Blumenthal and other lawmakers at the Senate Commerce, Science and Transportation Consumer Protection, Product Safety, Insurance and Data Security Subcommittee hearing probed Uber’s handling of the breach that exposed the the personal information, including names, email addresses, and driver’s license numbers, of 57 million drivers and consumers. No Social Security numbers or payment card details were exposed in the breach, according to Uber.
Uber Chief Information Security Officer John Flynn told lawmakers he regretted not notifying consumers earlier. Under questioning from Subcommittee Chairman Jerry Moran (R-Kan.), Flynn said there was “no justification” for not disclosing the breach sooner.
Flynn voluntarily appeared before the Senate panel and not under subpoena, a company spokesperson told Bloomberg Law.
Flynn told lawmakers that Uber originally characterized the hack as part of its own bug bounty program. However, the hackers found a security weakness and exploited it for financial gain, he said. Bug bounty programs bring in ethical hackers who, with consent and for a reward, try to break into company or government information technology systems to discover vulnerabilities that cybercriminals could exploit.
Unlike the bug bounty approach, uninvited cybercriminals who hacked into Uber were allegedly paid by the company to delete the hacked data and keep the incident quiet.
There’s a clear line between “bug bounty programs and being extorted,” Casey Ellis, chairman and chief technology officer at bug bounty company Bugcrowd, told Bloomberg Law.
Lawmakers, consumer groups, and security researchers at the hearing said that paying uninvited cybercriminals was giving in to extortion, and it was a mistake by the company to pay up. Blumenthal went as far to say that Uber’s actions could constitute aiding and abetting the hackers.
“Hiding the breach and then trusting the hackers that they would destroy the data were and are mistakes,” Kent Landfield, chief standards and technology policy strategist at McAfee Inc., told Bloomberg Law in an email.
Instead of paying the cybercriminals, Uber should have had better cybersecurity protections in place and should have sought out a vulnerability detection program, security researchers told Bloomberg Law.
The goal of a vulnerability disclosure program, either internal or external, is to find leaks in information technology infrastructure before hackers can exploit it, Ellis said.
Uber’s decision to pay off the hackers instead of using other methods was “110 percent a bad idea,” he said.
Senate lawmakers also delved into whether bug bounty programs and other vulnerability detection initiatives can help companies limit or prevent data breaches.
The programs bring together ethical hackers from across the globe to find corporate vulnerabilities before hackers can.
Silicon Valley giants have adopted such programs, such as Alphabet Inc.'s Google, Flynn said.
However, the financial services, health-care, and automotive industries have been slow to enact such programs, Ellis said.
Bug bounty programs allow ethical hackers to band together as a “crowd of allies” to bring down a “crowd of adversaries” that try to wreak havoc on a company, Ellis said.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)