Congress Wants Answers on Uber’s Data Breach

Congress Wants Answers on Ubers Data Breach
Share:

Uber is now under scrutiny from Congress over a data breach last year that affected as many as 57 million user and driver accounts. It was revealed last week that the ride-hailing company paid $100,000 to hackers who accessed user data in exchange for their silence. The company hid the data breach from the public until recently.

U.S. Senator Mark R. Warner, Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure. Senator Warner posed the following questions to Khosrowshahi:

1. According to reports, Uber’s systems were breached after the attackers discovered log-in credentials to an AWS account used to handle payments. Why weren’t more robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data?

2. Who conducted the initial investigation for Uber that successfully identified the hackers? What “assurances” were provided by the hackers to prove they did, in fact, delete the compromised data?

3. Unlike ransomware payments, in which payment is made to recover or regain access to inaccessible data or systems, it appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach. What rationale was provided by senior executives for covering up this breach?

4. Uber has alleged that it was required to provide information relating to the breach and subsequent cover-up to prospective investors. Can you explain why Uber chose not to disclose the breach to drivers and users prior to, or at least at the same time as, a prospective investor?

5. Reports indicate that Uber successfully “tracked down the hackers and pushed them to sign nondisclosure agreements.” While some information necessary to accomplish this could certainly have been gleaned from traditional digital forensic tools, these reports – combined with Uber’s past pattern of conduct – raise serious questions about how Uber was able to track down the criminals who breached Uber’s systems and blackmailed the company, and whether these actions might have constituted violations of the Computer Fraud and Abuse Act. As you know, no private right exists for companies to “hack back” those who compromise their systems. In the process of tracking down these hackers, did Uber or any authorized party acting on its behalf engage in unauthorized access of third party systems?

6. Uber’s decision to identify the responsible parties and commit them to a non-disclosure agreement thwarts law enforcement’s ability to bring criminal hackers to justice. To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals. Why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week?


Share:
Megha Shah
Megha Shah
A dreamer, traveler, aspiring entrepreneur and a bookworm beyond repair, Megha Shah is extremely fond of writing and has been doing so since she was a child. Apart from being a part-time writer, Megha is currently in college, pursuing B. Com. (Hons). Megha is an ardent follower of ‘Hardship, Hustle and Heart’ and firmly believes in the power of hard work and destiny!

Similar Articles

Additional Resources to Download

Top