U.S. Senator Mark Warner today pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure that hackers accessed the personal information of 57 million users last year.
Uber paid the hackers $100,000 to pledge to destroy the data – which included the names and driver’s licence numbers of 600,000 drivers, and names, phone numbers, and email addresses of millions of riders – and did not disclose the hack to regulators or users until last week. Warner posed the following probing questions to Khosrowshahi:
According to reports, Uber’s systems were breached after the attackers discovered log-in credentials to an AWS account used to handle payments. Why weren’t more robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data?
Who conducted the initial investigation for Uber that successfully identified the hackers? What “assurances” were provided by the hackers to prove they did, in fact, delete the compromised data?
Unlike ransomware payments, in which payment is made to recover or regain access to inaccessible data or systems, it appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach. What rationale was provided by senior executives for covering up this breach?
Uber has alleged that it was required to provide information relating to the breach and subsequent cover-up to prospective investors. Can you explain why Uber chose not to disclose the breach to drivers and users prior to, or at least at the same time as, a prospective investor?
Reports indicate that Uber successfully “tracked down the hackers and pushed them to sign nondisclosure agreements.” While some information necessary to accomplish this could certainly have been gleaned from traditional digital forensic tools, these reports – combined with Uber’s past pattern of conduct – raise serious questions about how Uber was able to track down the criminals who breached Uber’s systems and blackmailed the company, and whether these actions might have constituted violations of the Computer Fraud and Abuse Act. As you know, no private right exists for companies to “hack back” those who compromise their systems. In the process of tracking down these hackers, did Uber or any authorized party acting on its behalf engage in unauthorized access of third party systems?
Uber’s decision to identify the responsible parties and commit them to a non-disclosure agreement thwarts law enforcement’s ability to bring criminal hackers to justice. To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals. Why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week?