The $68bn ride-hailing company acknowledged Tuesday that hackers had stolen the personal information in October 2016, and that Uber had paid them $100,000 to destroy the information and keep the breach quiet.
The global nature of the breach exposes Uber to potential liability in numerous jurisdictions. Many countries and US states have laws requiring companies to inform individuals if their personal information has been compromised.
“Uber has made Equifax’s response to the data breach look very good, which is really saying something,” said Gus Hurwitz, co-director of the University of Nebraska college of law’s space, cyber and telecom law program. He was referring to a breach this year of the credit monitoring agency Equifax in which the social security numbers of 143 million Americans were exposed.
Authorities in the United States, United Kingdom, Australia, and the Philippines said on Wednesday they were launching investigations.
“Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics,” James Dipple-Johnstone of the UK’s information commissioner’s office, said in a statement. “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
Raymund Enriquez Liboro, the privacy commissioner of the Philippines, said in a statement that the commission had “summoned” Uber to a meeting on 23 November to “shed more light about the incident” and to comply with its data privacy laws.
A spokesperson for the US federal trade commission [FTC], which has broad authority to take action against companies engaging in deceptive or unfair practices, said the commission was “closely evaluating the serious issues raised” by the breach and Uber’s failure to disclose it.
Democratic senator Richard Blumenthal called for the FTC to “take swift enforcement action and impose significant penalties” on Uber in a series of tweets. Blumenthal also called for a Senate hearing “to demand Uber explain their outrageous breach – and inexplicable delay in informing its consumers and drivers”.
Uber reached a settlement with the FTC over privacy and data security issues in August. Hurwitz said that the FTC will likely now investigate both the 2016 breach itself and whether Uber violated its consent decree or withheld information from the FTC – which could result in fines.
State attorneys general in New York, Illinois, Connecticut and Massachusetts confirmed that they were launching investigations. Forty-eight US states have some version of laws requiring companies to notify individuals of security breaches.
“Failure to notify can subject Uber to substantial monetary damages, especially if it was intentional,” said Hurwitz. “Generally, it’s a fine per record. You can see how those numbers get very large very quickly.”
“We’ve been in touch with several state attorney general ffices and the FTC to discuss this issue, and we stand ready to cooperate with them,” an Uber spokesperson said.
Uber has not responded to numerous queries from the Guardian seeking information on the number of countries whose residents were affected by the hack.
This latest scandal caps – unless something else arises before 31 Decemeber – a troubled year for Uber; 2017 started with the viral #deleteuber movement and continued apace with the Greyball revelation, Susan Fowler’s sexual harassment memo, and Travis Kalanick’s ousting from the company he built.