“Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach

Patterson Belknap Webb & Tyler LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”

As we previously reported, Uber was the target of the high-profile data theft in late 2016, but did not disclose the incident until November 2017.  The company was criticized for its failure to notify users.  One lawmaker called Uber’s failure to timely notify users of the breach as “rais[ing] red flags … as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable.”  Uber’s decision to remain silent was further questioned because the company was already in communication with the U.S. Federal Trade Commission concerning a previous data security incident. The ride-hailing company was similarly criticized for its $100,000 ransom payment to the hackers, which was the subject of Tuesday’s hearing.

Uber initially classified the payment as part of its “bug bounty program,” a program offered by companies and website developers to encourage the reporting of bugs and vulnerabilities.  Flynn testified that the payment to the hackers, to keep the breach secret and delete the stolen data, was “not done consistent with the way our bug bounty program operates.”  Uber has paid nearly $1.3 million through its bug bounty program.  According to Senator Richard Blumenthal, “[a]t the same time Uber was negotiating with its blackmailers, it was speaking with the Federal Trade Commission,” calling the conduct “a form of obstruction of justice.”

Flynn emphasized that it was “wrong not to disclose the breach earlier,” stating that “there was no justification.”  According to Flynn, Uber “did not have the right people in the room.” A number of lawmakers called for legislation setting national standards for companies to notify consumers and government agencies when data breaches occur.

Uber terminated its Chief Information Security Officer and his deputy months ago for their involvement in the breach.  Several states and cities, as well as breach victims, have filed lawsuits against the company over the 2016 incident.  There are also numerous law enforcement and regulatory agencies investigating the breach.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide