Uber's CISO yesterday admitted that there was "no justification" for covering up a huge data breach affecting millions of customers and drivers.
The breach, which was first reported in November last year, exposed the personal information of 57 million users, including 2.7 million in the UK, as well as the license numbers of roughly 600,000 drivers.
Uber's John Flynn told US lawmakers at a Senate hearing yesterday that the company made an error in not disclosing the intrusion to the authorities and to its customers, saying: "We made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement."
Rather than report the breach, Uber paid one of the two hackers responsible $100,000 to keep the breach under wraps and to not leak the stolen data.
Senators also noted that while Uber was covering this breach up, it was in the midst of negotiations with the Federal Trade Commission over a settlement for an earlier data breach.
The money was delivered through a bug bounty programme - a framework usually used to reward ethical hackers for reporting flaws to companies rather than exploiting them. Flynn acknowledged in his testimony that this use of the bug bounty programme was 'inappropriate'.
"We recognise that the bug bounty programme is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he said. "The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed."
Legislators slammed Uber over its conduct, calling its actions "morally wrong and legally reprehensible".
"There ought to be no question here that Uber's payment of this blackmail without notifying consumers who were greatly at risk was morally wrong and legally reprehensible and violated not only the law but the norm of what should be expected," said Democratic senator Richard Blumenthal.
"The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable," added Republican and Senate panel chairman senator Jerry Moran.
-
Asus ZenScreen Fold OLED MQ17QH reviewReviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Uber hit with €290m fine for storing European driver data in the USNews The fine marks the latest imposed on Uber by the Dutch data protection authority
-
Uber says compromised third-party to blame for data breachNews Vulnerable third-party vendor Teqtivity sparks second major incident for Uber in the space of three months
-
Uber launches infosec hiring spree after attributing breach to LAPSUS$News The company also hinted at the belief that LAPSUS$ was also behind the attack on Rockstar Games over the weekend in a revealing update detailing the inner workings of the attack
-
Uber hacked via basic smishing attackNews The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages
-
Former Uber security chief to face fraud charges over hack coverup
News This is thought to be the first instance of a corporate information security officer criminally charged with concealing a hack
-
Former Uber CSO charged for data breach cover-upNews Joseph Sullivan allegedly paid $100,000 to conceal the ride-hailing firm's 2016 data breach
-
ICO: Uber data breach raises huge concernsNews The ICO and NCSC will investigate the impact on UK customers
-
Uber paid $100,000 for hackers' silence over huge data breachNews Hackers stole 57 million drivers' and users' details, but Uber didn't say a word
