Uber Exec Admits it was “Wrong” Not to Reveal Breach Sooner
During testimony before a Senate Subcommittee on Consumer Protection yesterday, Uber’s Chief Information Security Officer said there was “no justification” for failing to report the 2016 data breach, which resulted in the information of 57 million drivers and customers being exposed. Of those, 29.1 million are U.S. citizens.
In a written statement, John Flynn said, “it was wrong not to disclose the breach earlier.”
Customer names, email addresses and phone numbers were obtained in the breach. But no credit card information, Social Security numbers, or travel information was leaked.
The hacker who obtained the data was paid $100,000 by Uber in 2016, but the incident was not reported until November 2017. Uber made the payment through its bug bounty program, which Flynn now says was “inappropriate.”
“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” he said. “The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed.”
The men responsible for the leak resided in Florida and Canada, according to Reuters.
During the hearing, legislators called the company’s actions “morally wrong and legally reprehensible.”
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” added Republican and Senate panel chairman senator Jerry Moran.
Flynn testified before the Subcommittee on the same day that Uber founder, Travis Kalanick, appeared in court for a trade secrets trial known as Waymo v. Uber.