Where Uber Went Wrong In Its Big Data Breach
Between a very long delay in breach notification and a reported payoff to hackers, troubled Uber isn't coming out of this situation looking too great.
November 30, 2017 at 12:51 PM
26 minute read
Shutterstock/Creative Caliph.
Many were shocked last week when it was revealed that Uber Technologies Inc. had suffered a massive data breach, which it reportedly covered up for more than a year. It was also widely reported that the ride-hailing company ponied up $100,000 to keep the hackers quiet.
The much delayed notification about the breach has made already embattled Uber the target of numerous new lawsuits and inquiries. It has also raised new questions around breach disclosure and underscored the question of whether companies can and should offer hackers financial incentives to keep stolen data under wraps.
In Uber's case, two employees were terminated last week following reports of the breach that impacted 57 million people. It remains to be seen how the courts will rule on whether or not Uber had the obligation to disclose the breach when it occurred last October, but the company, which did not respond to requests for comment for this article, is facing widespread criticism.
The Consequences
As of Thursday, just over a week after new Uber CEO Dara Khosrowshahi confirmed the breach in a company blog post, Uber's chief security officer Joe Sullivan and in-house attorney Craig Clark have been ousted. The company is also facing inquiries from U.S. senators who want to know more about the breach, including the timeline of events and what notifications were or were not made to the Federal Trade Commission and law enforcement. Additionally, attorneys general from at least five states have launched investigations into the hack.
Uber has also been named in a number of lawsuits that aim to hold the company accountable for the hack and the subsequent cover-up. One consumer fraud lawsuit brought on behalf of the people of Illinois claims the ride-hailing giant failed to adequately protect the data of customers and drivers. A second consumer protection suit was filed by the state of Washington Tuesday, claiming Uber violated the state's data breach law.
The company has additionally been hit by two separate suits brought in federal courts in Los Angeles and San Francisco, both claiming the company was negligent in failing to implement proper safeguards to protect the data and in not providing timely notice of the breach.
Keller Rohrback, the firm bringing the San Francisco suit, has been involved in similar breach litigation against Equifax Inc. and Sony Pictures Entertainment Inc. Cari Campen Laufenberg, a member of Keller Rohrback's complex litigation group, told Corporate Counsel in an email the facts in this case are “some of the most egregious” the firm has seen during her tenure. “Uber has acted in a completely underhanded and self-serving manner, paying a ransom to hackers to destroy the data and keep the breach secret—ultimately, denying their customers and drivers the ability to protect themselves for over a year,” she said.
And in a Nov. 22 suit seeking class certification in U.S. District Court for the District of Oregon in Portland, it's alleged that Uber “unjustifiably failed” to notify consumers in a timely manner and negligently failed to maintain safeguards to protect the accessed information.
Michael Fuller, lead attorney for the plaintiff, said state law requires breaches to be disclosed as soon as possible. “Obviously there are circumstances where, when you're working with state and federal law enforcement, you may not want to disclose immediately that you've been hacked, but this is not a case where Uber was working with anyone except for with the hackers,” he said.
All the while, the San Francisco-based company must also contend with another possible probe from the FTC. In November 2014, the agency initiated an investigation into a breach that allowed access to the personal data of roughly 100,000 drivers. In August of this year, Uber reached a settlement with the FTC, agreeing to submit to regular audits of its privacy protocols for the next two decades.
According to public records obtained by Corporate Counsel, while FTC staff were evaluating Uber's data security program and practices in response to this 2014 incident, the ride-hailing company was ordered to preserve all documents related to its data policies that “may be in any way relevant to a potential investigation, irrespective of whether Uber believes that such documents may be protected from discovery,” the FTC wrote in a March 2015 letter to Uber counsel.
Failure to preserve this information, the letter continued, could result in civil or criminal liability.
The FTC declined to answer Corporate Counsel's questions about whether it is formally investigating Uber and if the company is in violation of any laws for not disclosing the most recent breach during the commission's previous investigation. “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach,” an FTC spokesperson said in an emailed statement. “We are closely evaluating the serious issues raised.”
Big Missteps
Uber's revelations about the breach leave a number of unanswered questions, such as who else in the company knew about the breach and the subsequent cover-up, aside from the two departed employees.
According to The New York Times, the deal with the hackers was arranged by the “company's chief security officer and under the watch of the former chief executive, Travis Kalanick.” And yet, Reuters reports that while Kalanick learned of the breach in November 2016, neither he nor outgoing chief legal officer Salle Yoo “were involved in the cover-up.” Uber did not respond to request for comment on who knew what and when they learned it.
In the United States, 48 states and the District of Columbia have data breach notification laws that are triggered after a hack, though their specific provisions vary. On the federal level, the FTC often steps in when companies have “engaged in unfair or deceptive practices that put consumers' personal data at unreasonable risk.”
Given the many rules in play requiring notification, it doesn't make sense that Uber wouldn't have notified its customers and drivers, said Gregg Garrett, head of international cybersecurity at advisory firm BDO USA. “It's well understood … that there are existing requirements by the Federal Trade Commission to disclose information of a cyber breach and of course not to destroy information that could be pertinent to an investigation, that could be deemed evidence,” he said. “I don't believe that [Uber] didn't understand that what was disclosed was personally identifiable information.”
In some states, notification is not required if it's determined through either an internal investigation or consultation with relevant law enforcement agencies that there's no reasonable likelihood of harm. Because Uber tracked down the hackers and paid them to delete the data, could the case be made that in certain states, at least, notification wasn't required? Garrett said no, he doesn't “buy that” argument.
Garrett said it's also concerning how long Khosrowshahi seemingly knew about the breach before it was revealed last week. According to The Wall Street Journal, Khosrowshahi learned of the incident about two weeks after he stepped in as CEO on Sept. 5. Uber did not respond to request for comment on whether this timeline is accurate, but if true, it would mean the new CEO knew for more than two months before publishing the blog post that committed to learning from company mistakes.
Khosrowshahi was, in all likelihood, trying to wrap his head around all of the information and to come up with a game plan, Garrett said, “but that should take place in a matter of days, not weeks or months.” He added that Khosrowshahi is “certainly culpable for extending the delay.”
The Cover-Up
And then, of course, there's the cover-up. Along with the $100,000 payment to the hackers in exchange for deleting the info, Uber also reportedly pushed them to sign nondisclosure agreements and company execs made the payout seem like a “bug bounty” in which hackers are paid to attack a company's systems to identify weak spots. Uber did not respond to inquiries seeking confirmation of these details.
“This may be a case where the cover-up was worse than the initial action,” said Paige Boshell, a partner at Bradley Arant Boult Cummings and leader of the firm's cybersecurity and privacy team. “When you have your hackers sign nondisclosure agreements and pay them and then make it sound like it was a bug bounty, it makes it more sound like you are more involved on the side of the criminal than your consumers,” she said, adding that asking hackers to sign NDAs is not typical.
Boshell added, however, that with a number of facts still unknown, it's hard to definitively judge the payout. “A hundred thousand dollars is not a lot of money to a company like that, so if they thought they were acting to protect their riders and their drivers, there may have been a thought process that was reasonable.”
There's no doubt Uber isn't the only company to be confronted with the dilemma of whether to incentivize hackers. If and when a company faces this question, lawyers said the answer is fact-specific.
Behnam Dayanim, partner with Paul Hastings, declined to comment on Uber specifically but said that, generally, the No. 1 consideration for a company will be how critical the data is to the business enterprise and “how, if at all, the enterprise can function while the data are being held by the attacker.”
The next consideration is “the degree to which the company has confidence that if it pays the hacker, the data will be released to it and won't be misused or otherwise misappropriated,” he said.
“One fear, of course, is you pay the hacker and either then the hacker either doesn't release the data to you or the hacker will release data to you but then sells it or uses it for other nefarious purposes,” he said, noting there's no guarantee the attackers will honor the deal to release the stolen information. “It's a question of trust.”
Dayanim said there are other downsides to making these payments. One is if the company makes the payment, “you identify yourself as an easy mark, which might mean you attract repeat attacks in the future.”
Another downside, he said, is the more companies make these payments, the more these attacks will proliferate.
Even so, Dayanim said, “The FBI and law enforcement, of course, frown upon making these payments, but they're not unlawful.”
Shutterstock/Creative Caliph.
Many were shocked last week when it was revealed that Uber Technologies Inc. had suffered a massive data breach, which it reportedly covered up for more than a year. It was also widely reported that the ride-hailing company ponied up $100,000 to keep the hackers quiet.
The much delayed notification about the breach has made already embattled Uber the target of numerous new lawsuits and inquiries. It has also raised new questions around breach disclosure and underscored the question of whether companies can and should offer hackers financial incentives to keep stolen data under wraps.
In Uber's case, two employees were terminated last week following reports of the breach that impacted 57 million people. It remains to be seen how the courts will rule on whether or not Uber had the obligation to disclose the breach when it occurred last October, but the company, which did not respond to requests for comment for this article, is facing widespread criticism.
The Consequences
As of Thursday, just over a week after new Uber CEO Dara Khosrowshahi confirmed the breach in a company blog post, Uber's chief security officer Joe Sullivan and in-house attorney Craig Clark have been ousted. The company is also facing inquiries from U.S. senators who want to know more about the breach, including the timeline of events and what notifications were or were not made to the Federal Trade Commission and law enforcement. Additionally, attorneys general from at least five states have launched investigations into the hack.
Uber has also been named in a number of lawsuits that aim to hold the company accountable for the hack and the subsequent cover-up. One consumer fraud lawsuit brought on behalf of the people of Illinois claims the ride-hailing giant failed to adequately protect the data of customers and drivers. A second consumer protection suit was filed by the state of Washington Tuesday, claiming Uber violated the state's data breach law.
The company has additionally been hit by two separate suits brought in federal courts in Los Angeles and San Francisco, both claiming the company was negligent in failing to implement proper safeguards to protect the data and in not providing timely notice of the breach.
And in a Nov. 22 suit seeking class certification in U.S. District Court for the District of Oregon in Portland, it's alleged that Uber “unjustifiably failed” to notify consumers in a timely manner and negligently failed to maintain safeguards to protect the accessed information.
Michael Fuller, lead attorney for the plaintiff, said state law requires breaches to be disclosed as soon as possible. “Obviously there are circumstances where, when you're working with state and federal law enforcement, you may not want to disclose immediately that you've been hacked, but this is not a case where Uber was working with anyone except for with the hackers,” he said.
All the while, the San Francisco-based company must also contend with another possible probe from the FTC. In November 2014, the agency initiated an investigation into a breach that allowed access to the personal data of roughly 100,000 drivers. In August of this year, Uber reached a settlement with the FTC, agreeing to submit to regular audits of its privacy protocols for the next two decades.
According to public records obtained by Corporate Counsel, while FTC staff were evaluating Uber's data security program and practices in response to this 2014 incident, the ride-hailing company was ordered to preserve all documents related to its data policies that “may be in any way relevant to a potential investigation, irrespective of whether Uber believes that such documents may be protected from discovery,” the FTC wrote in a March 2015 letter to Uber counsel.
Failure to preserve this information, the letter continued, could result in civil or criminal liability.
The FTC declined to answer Corporate Counsel's questions about whether it is formally investigating Uber and if the company is in violation of any laws for not disclosing the most recent breach during the commission's previous investigation. “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials' actions after that breach,” an FTC spokesperson said in an emailed statement. “We are closely evaluating the serious issues raised.”
Big Missteps
Uber's revelations about the breach leave a number of unanswered questions, such as who else in the company knew about the breach and the subsequent cover-up, aside from the two departed employees.
According to The
In the United States, 48 states and the District of Columbia have data breach notification laws that are triggered after a hack, though their specific provisions vary. On the federal level, the FTC often steps in when companies have “engaged in unfair or deceptive practices that put consumers' personal data at unreasonable risk.”
Given the many rules in play requiring notification, it doesn't make sense that Uber wouldn't have notified its customers and drivers, said Gregg Garrett, head of international cybersecurity at advisory firm BDO USA. “It's well understood … that there are existing requirements by the Federal Trade Commission to disclose information of a cyber breach and of course not to destroy information that could be pertinent to an investigation, that could be deemed evidence,” he said. “I don't believe that [Uber] didn't understand that what was disclosed was personally identifiable information.”
In some states, notification is not required if it's determined through either an internal investigation or consultation with relevant law enforcement agencies that there's no reasonable likelihood of harm. Because Uber tracked down the hackers and paid them to delete the data, could the case be made that in certain states, at least, notification wasn't required? Garrett said no, he doesn't “buy that” argument.
Garrett said it's also concerning how long Khosrowshahi seemingly knew about the breach before it was revealed last week. According to The Wall Street Journal, Khosrowshahi learned of the incident about two weeks after he stepped in as CEO on Sept. 5. Uber did not respond to request for comment on whether this timeline is accurate, but if true, it would mean the new CEO knew for more than two months before publishing the blog post that committed to learning from company mistakes.
Khosrowshahi was, in all likelihood, trying to wrap his head around all of the information and to come up with a game plan, Garrett said, “but that should take place in a matter of days, not weeks or months.” He added that Khosrowshahi is “certainly culpable for extending the delay.”
The Cover-Up
And then, of course, there's the cover-up. Along with the $100,000 payment to the hackers in exchange for deleting the info, Uber also reportedly pushed them to sign nondisclosure agreements and company execs made the payout seem like a “bug bounty” in which hackers are paid to attack a company's systems to identify weak spots. Uber did not respond to inquiries seeking confirmation of these details.
“This may be a case where the cover-up was worse than the initial action,” said Paige Boshell, a partner at
Boshell added, however, that with a number of facts still unknown, it's hard to definitively judge the payout. “A hundred thousand dollars is not a lot of money to a company like that, so if they thought they were acting to protect their riders and their drivers, there may have been a thought process that was reasonable.”
There's no doubt Uber isn't the only company to be confronted with the dilemma of whether to incentivize hackers. If and when a company faces this question, lawyers said the answer is fact-specific.
Behnam Dayanim, partner
The next consideration is “the degree to which the company has confidence that if it pays the hacker, the data will be released to it and won't be misused or otherwise misappropriated,” he said.
“One fear, of course, is you pay the hacker and either then the hacker either doesn't release the data to you or the hacker will release data to you but then sells it or uses it for other nefarious purposes,” he said, noting there's no guarantee the attackers will honor the deal to release the stolen information. “It's a question of trust.”
Dayanim said there are other downsides to making these payments. One is if the company makes the payment, “you identify yourself as an easy mark, which might mean you attract repeat attacks in the future.”
Another downside, he said, is the more companies make these payments, the more these attacks will proliferate.
Even so, Dayanim said, “The FBI and law enforcement, of course, frown upon making these payments, but they're not unlawful.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump Media Accuses Purchaser Rep of Extortion, Harassment After Merger
4 minute readAfter 2024's Regulatory Tsunami, Financial Services Firms Hope Storm Clouds Break
Trending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250