By Greg Bensinger and Robert McMillan 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (November 22, 2017).

Uber Technologies Inc. on Tuesday revealed it paid hackers $100,000 in an effort to conceal a data breach affecting 57 million accounts one year ago, a disclosure that adds to a string of scandals and legal problems for the world's most highly valued startup.

The ride-hailing firm said it fired its chief security officer, Joe Sullivan, and deputy Craig Clark for their roles in the breach and for covering it up.

In addition to the names, emails and phone numbers of millions of riders, about 600,000 drivers' license numbers were accessed, Uber said. Uber said financial information such as credit cards and Social Security numbers weren't taken. Uber said it identified the hackers and "obtained assurances" they had destroyed the stolen data.

The San Francisco company said it would notify owners of the affected accounts in the coming days.

While the scale of the breach pales in comparison to recent disclosures from Yahoo Inc. and Equifax Inc., Uber's attempts to keep it quiet raise questions about how many people knew about it and whether officers still at the company were part of the effort.

The New York State Attorney General's office has opened an investigation into the breach, a spokeswoman said in an email Tuesday. She didn't give further details.

Neither Mr. Sullivan nor Mr. Clark could be immediately reached for comment. A spokesman for Uber declined to say who had authorized the $100,000 payment. A spokeswoman for Travis Kalanick, who was CEO during the time of the breach, declined to comment.

"None of this should have happened, and I will not make excuses for it," Chief Executive Dara Khosrowshahi in a statement regarding the breach and coverup. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

Bloomberg earlier reported on the breach at Uber.

The coverup is another challenge for the recently hired CEO, who in less than three months on the job has tried to bring stability after a year of controversies and missteps that took place under Mr. Kalanick, Uber's co-founder. Valued at $68 billion by investors, Uber has developed a reputation for pushing the limits of the law in its pursuit of dominating the ride-hailing market.

As Uber CEO, Mr. Khosrowshahi has inherited several federal probes of the company over programs targeting rivals and regulators, as a well as a possible violation of the Foreign Corrupt Practices Act.

Uber is in a heated legal battle with Google parent Alphabet Inc., which filed suit in February alleging the company stole trade secrets related to self-driving cars. And it is trying to recover from claims by a former female engineer that management ignored complaints from her and other women of sexism and harassment.

The company has said it is cooperating with federal regulators in their investigations. It disputes the allegations made by Alphabet and is contesting the lawsuit in court.

Mr. Khosrowshahi's short reign at Uber has been riddled with infighting among directors, particularly between Mr. Kalanick and investor Benchmark Capital over the company's corporate governance. In the midst of all this, he has spent weeks negotiating a deal for SoftBank Group Inc. to invest upward of $10 billion in the company through a direct investments and stake purchases from employees and other investors.

SoftBank is working to determine a price at which it will offer to buy billions of shares through a tender offer from existing investors at a discount to Uber's $68 billion valuation, according to people familiar with the matter.

Uber disclosed the breach ahead of the tender offer because it could be considered material to investors, the people said. It's unclear if SoftBank may use the disclosure as a negotiating chit, and a spokesman for the Japanese investor declined to comment.

Uber said the data breach happened in October 2016 and Mr. Kalanick learned of the hack in November 2016. The company said it took "immediate steps" to secure the data and shut down unauthorized access while strengthening its security controls. But Uber said it failed to disclose the breach to authorities, customers and drivers, and after Mr. Khosrowshahi learned of the coverup, he ordered an investigation into the circumstances behind the breach and fired Mr. Sullivan and Mr. Clark.

Uber said it hired Matt Olsen, a cybersecurity expert and former general counsel of the National Security Agency, to advise the company and retained FireEye Inc.'s Mandiant to help with security monitoring.

The ride-hailing company said it is offering free credit monitoring for affected drivers and additional monitoring for fraud on the accounts of the customers affected.

Securities and Exchange Commission regulations compel publicly traded companies to disclose major data breaches. Earlier this year the SEC launched a probe into Yahoo, now a unit of Verizon Communications Inc., and whether the company disclosed a major 2014 security breach in a timely manner.But as a privately held company, Uber is unlikely to be the target of an SEC investigation, said David Chase, a former SEC enforcement attorney. While the SEC could investigate any misrepresentations Uber made in connection with a sale of shares in the company, "the SEC probably would not commit resources, thinking that a sophisticated investor like SoftBank could do the required due diligence, " he said.

With no federal data privacy law, Uber's obligation to report the breach falls under a patchwork of data-breach laws in 48 states that come with differing and often complex notification requirements. The laws generally apply if a victim of a hack lives in that state.

Companies that fail to notify users in a timely manner following a breach are technically in violation of these laws, but prosecutions are extremely rare, said Avivah Litan, an analyst with the industry research firm Gartner Inc.

States "don't have the staff to enforce these laws," Ms. Litan said.

By failing to give notice of its breach, Uber may be exposing itself to consumer lawsuits, said Chris Hoofnagle, a University of California, Berkeley, law professor.

Write to Greg Bensinger at greg.bensinger@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com

 

(END) Dow Jones Newswires

November 22, 2017 02:47 ET (07:47 GMT)

Copyright (c) 2017 Dow Jones & Company, Inc.