Uber could be in legal trouble after covering up its latest data breach

Uber could be in legal trouble after covering up its latest data breach
Uber could face legal consequences for failing to disclose a breach of users' personal information. (ANTHONY WALLACE/AFP/Getty Images)

Uber was hacked in 2016, didn’t tell anyone, and paid the hackers $100,000 to destroy the data. Now they could face legal consequences for failing to disclose the breach of personal information.

The hack

In what one security expert called an unsophisticated hack, hackers stole phone numbers, email addresses and names of 57 million Uber users, as well as 600,000 driver’s license numbers of Uber drivers.

Uber uses a service called GitHub to store code and track projects. Hackers got into Uber’s GitHub account and found a username and password that gave them access to user data, which is stored in an Amazon server. It was likely an accident that the login credentials were stored in GitHub.

The legal issue

  • New York and Massachusetts have opened an investigation in to the breach.
  • U.S. Sen. Richard Blumenthal (D-Conn.) called on the Federal Trade Commission to punish Uber.

When a company is hacked and personal information is compromised, the company is supposed to report the breach to users, regulators and authorities.

What they’re not supposed to do is pay the hackers to destroy the data and pretend the whole thing never happened, which is what Uber did.

All but two states have security breach notification laws that require companies to disclose hacks of private information.

From bad to worse for Uber

This issue just adds to a growing list of controversies Uber has been involved in recently.

  • Uber paid the FTC $20 million in January in a settlement over charges of misleading drivers about how much money they could make.

  • Uber settled with the FTC over allegations that it made “deceptive privacy and security claims” after a hacker accessed data on 100,000 drivers in August.

22 Comments