Uber is in hot water for waiting a whole year to announce a data breach of information on 57 million users, and not just with angry riders and drivers. The company is now under a microscope with regulators, who want to enforce rules that required the company to come clean sooner.
The New York State Attorney General has opened an investigation into the incident, which Uber made public Tuesday. Officials for Connecticut, Illinois and Massachusetts also confirmed they're investigating the hack. The New Mexico Attorney General sent Uber a letter asking for details of the hack and how the company responded. What's more, Uber appears to have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security, a legal expert says.
"It appears they violated the FTC consent order before the ink was dry on it," said Ed McAndrew, a former federal cybercrimes prosecutor who know advises companies on how to comply with the law at the Ballard Spahr firm.
In addition to its agreement with the FTC, Uber is required to follow laws in New York and 47 other states that mandate companies to tell people when their drivers' license numbers are breached. Uber acknowledged Tuesday it had a legal requirement to disclose the breach.
"We've been in touch with several state Attorney General Offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," an Uber spokesman said in an emailed statement.
The increased scrutiny could add to Uber's growing legal problems, which most recently include a volley of lawsuits alleging the company doesn't do enough to protect riders from sexual assault and harassment. This latest scandal adds to criticisms of Uber's approach to privacy -- for its handling of previous data breaches, as well as its use of a special "God view" in which Uber employees could see where any user was while using the service. In this case, it appears the company's leadership was promising regulators it would do better at protecting your data one minute and concealing a hack of user data the next.
Stolen data often makes its way onto black markets on the internet, which are hosted on hidden websites that form a shadowy network called the Dark Web.
The breach happened in October 2016, Uber said Tuesday. Hackers accessed names and email addresses, as well as the drivers' license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber said in a statement Tuesday it first became aware of the hack in November 2016. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.
Around the same time the breach happened in October 2016, Uber was negotiating a settlement with the FTC that stemmed in part from a previous data breach. The first provision in the settlement, which Uber officially agreed to in August, said the company "must not misrepresent in any manner, expressly or by implication... the extent to which Respondent protects the privacy, confidentiality, security, or integrity of any Personal Information."
That's why hiding this breach could be a big problem for Uber, McAndrew said. "At the very time they were negotiating a consent order with the FTC, they were knowingly not disclosing it." The terms of the settlement also require Uber to swear under penalty of perjury on an annual basis that it's in compliance with the settlement order. That anniversary hasn't come up yet.