Uber faces investigations by regulators over massive data breach
Listen to this article
Give us your feedback
Thank you for your feedback.
What do you think?
The regulatory fallout for Uber after it failed to disclose a massive data breach began to emerge on Wednesday, as regulators in the UK, US and Italy said they were opening investigations, presenting the latest challenge for the company as it tries to move on from a string of self-inflicted crises.
The financial and reputational cost of the hack will pose a major test for Dara Khosrowshahi, the ride-hailing company’s new chief executive, at a time when he is already fighting a potential ban in London and working to finalise a major investment deal led by SoftBank, the Japanese technology group.
Uber failed to tell users or regulators about the 2016 breach that included the names, email addresses and phone numbers of 50m passengers and 7m drivers for more than a year, the company admitted on Tuesday.
Regulators have responded swiftly, with officials in several of Uber’s key markets launching investigations within hours of the news. A class-action lawsuit on behalf of drivers whose information was compromised was also launched in California.
The US Federal Trade Commission said it was “closely evaluating the serious issues raised” by the hack. The New York attorney-general’s office, which reached a settlement with Uber over its privacy practices last year, said it was opening a fresh probe into the data breach.
Other states including Massachusetts, Illinois and Connecticut also said they had launched investigations. “We’ve been in touch with several state attorney-general offices and the FTC to discuss this issue, and we stand ready to co-operate with them going forward,” an Uber spokesman said.
Uber realised that it had been hacked late last year but did not notify regulators or the people affected. It also paid $100,000 to the hackers to destroy the stolen information, the company said.
The way the incident was handled raises new questions about the judgment of Travis Kalanick, Uber’s chief executive at the time, and Joe Sullivan, the company’s chief security officer, who was fired on Tuesday as a result of the incident.
Mr Kalanick was ousted by investors in June but remains on the board and owns a 10 per cent stake in the company. A spokesman for Mr Kalanick declined to comment.
The scope of the data breach, at a company that has been known to flout convention and regulation, may also cause investors to ask if there are any more skeletons in the closet.
A consortium of investors led by SoftBank is preparing to inject as much as $10bn in Uber through a complex deal that could close by the end of the year if enough Uber shareholders agree to sell their shares to SoftBank at a discounted rate.
Uber’s turnround efforts include hiring a new chief legal officer, Tony West, whose first day on the job was Wednesday.
Katie Moussouris, founder of Luta Security, said the US Federal Trade Commission and EU regulators were likely to investigate the hack. The FTC did not return a request for comment.
“It is clear that Uber took about a year, which doesn’t seem like a reasonable timeframe” to report a data breach, Ms Moussouris said. If the company covered up the attack, it could be criminally liable in the US, she added.