Uber’s top security official told lawmakers on Capitol Hill this week that the ride-share giant had “no justification” for not revealing its massive data breach in 2016.
“It was wrong not to disclose the breach earlier,” said John Flynn, Uber CISO said, in prepared statements.
The admission seems weak at best given the fact that it took the company a year to reveal a breach that affected 57 million customers and drivers worldwide, with names, email addresses and mobile phone numbers included in the trove of data stolen. The firm concealed the breach by paying off the hackers but failed to notify victims or relevant bodies. Finally, in November 2017, it admitted to the incident, noting that it had paid the hackers – after the breach – via the conduit of its HackerOne bug-bounty program.
“The bug bounty program is not an appropriate vehicle for dealing with intruders,” said Flynn, without explaining the justification for doing so at the time.
"[The] hearing spotlights the ethical considerations around how Uber responded to its recent breach,” said Bugcrowd founder and CTO Casey Ellis, via email. “This was not a bug-bounty payout. This was extortion, and the difference between the two is unambiguous. Extortion happens when a company is approached by an attacker that has gained valuable information and demands payment to keep the discovery quiet. Extortion is initiated by the attacker, and the attacker holds the power. Bug-bounty programs operate in a controlled environment with secure communication on all ends to facilitate interactions between businesses and the researcher community for safe and effective security testing.”
Needless to say, lawsuits are ongoing.
Flynn, along with representatives from HackerOne and other firms, appeared as part of a hearing before the Consumer Protection, Product Safety, Insurance and Data Security Subcommittee of the Senate Commerce, Science and Transportation Committee.
“Going forward, Uber is revisiting its incident response approach in circumstances such as these,” Flynn said. “We have hired Matt Olsen, a former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help structure the security team and guide new processes going forward.”
Lawmakers did not let the company off lightly.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran (R-KS), said in his opening statement.
Senator Richard Blumenthal (D-NY) said Uber’s management of the hack was “morally wrong and legally reprehensible,” before noting that the company has likely ran afoul of rules for data breach disclosure in various states across the country.