U.S. senators on both sides of the aisle have sent letters to Uber demanding answers in the wake of the transportation company's disclosure that it concealed an October 2016 data breach incident that compromised the information of 57 million customers and drivers.
Among the key questions posed by lawmakers to new Uber CEO Dara Khosrowshahi is why the company opted to pay hackers $100,000 to delete names, email addresses and other user data that they stole from an Amazon Web Services cloud database. Khosrowshahi revealed the breach incident on Nov. 22, roughly three months after taking over the chief executive role from Travis Kalanick, who was ousted following a series of corporate scandals. Although the company withheld news of the breach for a full year, Krosrowshahi claims he only recently learned of the attack.
One of the letters to Krosrowshahi was sent on Monday by four Republican senators who chair a committee or subcommittee relevant to the investigation: John Thune (R-S.D., Committee on Commerce, Science, And Transportation), Orrin Hatch (R-Utah, Committee on Finance), Jerry Moran (R-Kan., Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security), and Bill Cassidy (R-La., Subcommittee on Social Security, Pensions, and Family Policy).
Collectively, the four GOP senators posed 11 questions about the breach and Uber's subsequent response, imposing a deadline of Dec. 11 for a response. “…The nature of the information currently acknowledged to have been compromised, together with the allegation that the company concealed the breach without notifying affected drivers and consumers, and prior privacy concerns at Uber, makes this a serious incident that merits further security,” the letter states.
The letter suggests that Uber's attempts to cover up the incident run contrary to data security and incident response measures that the company detailed in a January 2015 corporate report, following an assessment conducted by outside counsel. The report had stated that Uber “has put in place and continues to develop a data security program that is reasonable designed to protect Consumer Data from unauthorized access, use disclosure, or loss.”
Perhaps more seriously, the GOP letter also said Uber's actions may have violated an August 15, 2017 consent order that prevents Uber from misrepresenting to the federal government how it keeps consumer data private, confidential, and secure. The order, which also requires Uber to institute a comprehensive data privacy program, was the result of a settlement between Uber and the Federal Trade Commission, following a separate 2014 breach that compromised more than 100,000 names and driver's license numbers that were also stored via AWS third-party services.
Also on Monday, Sen. Mark Warner (D-Va.) sent Khosrowshahi a letter expressing “grave concerns” over the company's handling of the breach. Warner cautioned that Uber's conduct “raises serious questions about the company's compliance with relevant state and federal regulations,” singling out a corporate statement acknowledging that Uber informed potential investor SoftBank of the incident before U.S. regulators or the public found out.
Warner posed six of his own questions, one of which asks if Uber may have committed an illegal act by hacking back the attackers in order to identify them. The senator also wants to know why Uber didn't share the intelligence it collected on the hackers with law enforcement.
Other questions from Warner include why more robust access management protections like two-factor authentication weren't used for the third-party cloud storage, and what proof does Uber have that the cyberthieves truly deleted the stolen data.
Meanwhile, the GOP Senators are asking for a comprehensive timeline of events, details on Uber's attempts to mitigate the incident, steps taken since the breach to ensure FTC compliance, and assurances that Social Security numbers were not stolen.