Uber’s very bad year got even worse with the revelation that the ride-hailing company failed to disclose a data breach for over a year and paid cyber attackers $100,000 to delete the stolen info and keep quiet.
A post on Uber’s blog written by CEO Dara Khosrowshahi and dated November 21 says that, “in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use.”
Hackers stole the license numbers of 600,000 U.S. drivers and the names, email addresses, and phone number of 57 million Uber riders.
According to Bloomberg, hackers obtained security credentials uploaded to a GitHub repository and used them to steal the data of 57,000,000 Uber drivers and riders. The stolen data included the names and license numbers of around 600,000 U.S. drivers and the names, email addresses, and phone numbers of 57 million Uber users worldwide. Uber paid a $100,000 ransom to the hackers for their cooperation in keeping the incident under wraps.
Uber has reportedly “obtained assurances that the downloaded data had been destroyed” and seen “no evidence of fraud or misuse tied to the incident.” The company will provide drivers whose license numbers were compromised with free credit and identity theft protection.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote on Uber’s blog. “We are changing the way we do business.”
Fallout and Legal Repercussions
State and federal laws require that companies inform the government and affected persons about breaches of sensitive data—such as driver’s licenses.
Chris Hoofnagle of the Berkeley Center for Law and Technology told The Guardian that, “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Uber has fired Joseph Sullivan, its chief security officer, and one of Sullivan’s deputies. New York Attorney General Eric Schneiderman announced an investigation into the hack in response to Uber’s disclosure.
The federal government may also get involved. Earlier this year, Uber settled Federal Trade Commission (FTC) allegations that it failed to reasonably secure sensitive consumer data.
If, despite Uber’s assurances to the contrary, riders and drivers are the victims of identity theft or other fraud stemming from the stolen data, they may have limited legal options due to Uber’s arbitration agreement. The agreement states that Uber is not liable for damages, including lost data, resulting from any use of their services. Anyone who uses Uber’s services are bound by the agreement.
Arbitration agreements disallow individual and class action lawsuits and force legal disputes to be handled by a private arbitrator. Arbitration tends to be less generous to plaintiffs than jury trials.
Uber’s Tough Times Continue
While Uber (valued at $68 billion) is the most valuable U.S. startup company, the company has recently endured a string of scandals and is said to be losing money.
Khosrowshahi replaced co-founder Travis Kalanick as CEO after an investor mutiny earlier this year. Kalanick built an aggressive “tech bro” culture that turned Uber into a unicorn, but investors, led by Fidelity Investments, felt his brash leadership put the company at legal risk. They asked for his resignation in a letter titled “Moving Uber Forward.”
The data breach is a setback for Uber, which is trying to repair its reputation as one of America’s most-hated companies.
Uber pledged $5 million to sexual assault and domestic violence prevention following a scandal that involved hundreds of sexual harassment allegations. The company stands accused in a lawsuit of stealing intellectual property from Waymo, Google’s self-driving car division. In March, the New York Times revealed that Uber used software to avoid authorities in cities where it was illegally operating. Drivers have repeatedly sued Uber, claiming they are wrongly classified as independent contractors.
These incidents are just the tip of a scandal iceberg that has made Uber one of America’s most-hated companies. As Uber tries to repair its image under new leadership, the hacking scandal is a significant setback.
ClassAction.com is following the Uber data breach carefully, and we encourage anyone who may have been affected to contact us for a free legal consultation.