It has emerged that Uber’s new CEO Dara Khosrowshahi was informed about Uber’s most recent and largest data breach more than two months before the public. The reveal is strikingly reminiscent of Equifax’s fumbled attempts to curb its massive data breach earlier this summer, in which it kept the news quiet for five weeks despite the attack affecting 143 million Americans and 15 million Brits.
According to sources close to the Wall Street Journal, Khosrowshahi was made aware of Uber’s breach (which was perpetrated in October 2016) two weeks before taking the reins on September 5th 2017 – more than two months before informing the public.
The WSJ tipsters have noted that there were reasons behind the delay, however. Khosrowshahi allegedly ordered a prompt investigation, which he also claimed, but Uber and Mandiant (security firm FireEye’s digital forensics division) wanted to determine the scale of the breach and also fire two executives that apparently tried to cover up the attack. The first large organisation to know was imminent investor SoftBank, which was made aware roughly three weeks before the WSJ reveal.
Uber has since confirmed the broad outlines of the WSJ report. The company conceded that it had informed SoftBank first because it was, “consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete”.
“We also made clear that our forensic investigation was ongoing,” Uber added. “Once our internal inquiry concluded and we had a more complete understanding of the facts, we disclosed to regulators and our customers in a very public way.”
The Article 29 Data Protection Working Party – one of Europe’s leading authorities on data incidents – is planning to discuss the incident today. While EU data protection authorities cannot impose sanctions, they can set up task forces and assist in national investigations. Regulators will also be given the power to impose much higher fines of up to 4% of a firm’s global turnover when GDPR is enacted next May.
“We cannot but voice our strong concern for the breach suffered by Uber, which was reported belatedly by the U.S. company. We initiated our inquiries, and are gathering all the information that can help us assess the scope of the data breach and take the appropriate steps to protect any Italian citizens involved,” said Antonello Soro, President of the Italian Data Protection Authority, last Wednesday.
In a statement, the UK’s ICO added: “We can confirm that UK citizens have been affected by the data breach involving Uber last October. As UK citizens would expect, the ICO is in direct contact with the company to establish the numbers and what kind of personal data may have been compromised. We are working with the NCSC plus other relevant authorities in the UK and overseas to determine the scale of the breach, and what steps need to be taken by the firm to ensure it fully complies with its data protection obligations.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”