Uber Answers for Data Breach, Alleged Cover Up in Senate Probe

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Senators at a Feb. 6 hearing prodded an Uber Technologies Inc. official over allegations that the ride-hailing giant concealed a 2016 data breach for nearly a year and paid off cybercriminals to delete the stolen data.

Sen. Richard Blumenthal (D-Conn.) said that Uber engaged in “a form of obstruction of justice.” Blumenthal and other lawmakers at the Senate Commerce, Science and Transportation Consumer Protection, Product Safety, Insurance and Data Security Subcommittee hearing probed Uber’s handling of the breach that exposed the the personal information, including names, email addresses, and driver’s license numbers, of 57 million drivers and consumers. No Social Security numbers or payment card details were exposed in the breach, according to Uber.

Uber Chief Information Security Officer John Flynn told lawmakers he regretted not notifying consumers earlier. Under questioning from Subcommittee Chairman Jerry Moran (R-Kan.), Flynn said there was “no justification” for not disclosing the breach sooner.

Flynn voluntarily appeared before the Senate panel and not under subpoena, a company spokesperson told Bloomberg Law.

Flynn told lawmakers that Uber originally characterized the hack as part of its own bug bounty program. However, the hackers found a security weakness and exploited it for financial gain, he said. Bug bounty programs bring in ethical hackers who, with consent and for a reward, try to break into company or government information technology systems to discover vulnerabilities that cybercriminals could exploit.

Clear Line Crossed?

Unlike the bug bounty approach, uninvited cybercriminals who hacked into Uber were allegedly paid by the company to delete the hacked data and keep the incident quiet.

There’s a clear line between “bug bounty programs and being extorted,” Casey Ellis, chairman and chief technology officer at bug bounty company Bugcrowd, told Bloomberg Law.

Lawmakers, consumer groups, and security researchers at the hearing said that paying uninvited cybercriminals was giving in to extortion, and it was a mistake by the company to pay up. Blumenthal went as far to say that Uber’s actions could constitute aiding and abetting the hackers.

“Hiding the breach and then trusting the hackers that they would destroy the data were and are mistakes,” Kent Landfield, chief standards and technology policy strategist at McAfee Inc., told Bloomberg Law in an email.

Instead of paying the cybercriminals, Uber should have had better cybersecurity protections in place and should have sought out a vulnerability detection program, security researchers told Bloomberg Law.

The goal of a vulnerability disclosure program, either internal or external, is to find leaks in information technology infrastructure before hackers can exploit it, Ellis said.

Uber’s decision to pay off the hackers instead of using other methods was “110 percent a bad idea,” he said.

‘Crowd of Allies’

Senate lawmakers also delved into whether bug bounty programs and other vulnerability detection initiatives can help companies limit or prevent data breaches.

The programs bring together ethical hackers from across the globe to find corporate vulnerabilities before hackers can.

Silicon Valley giants have adopted such programs, such as Alphabet Inc.'s Google, Flynn said.

However, the financial services, health-care, and automotive industries have been slow to enact such programs, Ellis said.

Bug bounty programs allow ethical hackers to band together as a “crowd of allies” to bring down a “crowd of adversaries” that try to wreak havoc on a company, Ellis said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security