By Greg Bensinger and Robert McMillan
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (November 22, 2017).
Uber Technologies Inc. on Tuesday revealed it paid hackers
$100,000 in an effort to conceal a data breach affecting 57 million
accounts one year ago, a disclosure that adds to a string of
scandals and legal problems for the world's most highly valued
startup.
The ride-hailing firm said it fired its chief security officer,
Joe Sullivan, and deputy Craig Clark for their roles in the breach
and for covering it up.
In addition to the names, emails and phone numbers of millions
of riders, about 600,000 drivers' license numbers were accessed,
Uber said. Uber said financial information such as credit cards and
Social Security numbers weren't taken. Uber said it identified the
hackers and "obtained assurances" they had destroyed the stolen
data.
The San Francisco company said it would notify owners of the
affected accounts in the coming days.
While the scale of the breach pales in comparison to recent
disclosures from Yahoo Inc. and Equifax Inc., Uber's attempts to
keep it quiet raise questions about how many people knew about it
and whether officers still at the company were part of the
effort.
The New York State Attorney General's office has opened an
investigation into the breach, a spokeswoman said in an email
Tuesday. She didn't give further details.
Neither Mr. Sullivan nor Mr. Clark could be immediately reached
for comment. A spokesman for Uber declined to say who had
authorized the $100,000 payment. A spokeswoman for Travis Kalanick,
who was CEO during the time of the breach, declined to comment.
"None of this should have happened, and I will not make excuses
for it," Chief Executive Dara Khosrowshahi in a statement regarding
the breach and coverup. "While I can't erase the past, I can commit
on behalf of every Uber employee that we will learn from our
mistakes."
Bloomberg earlier reported on the breach at Uber.
The coverup is another challenge for the recently hired CEO, who
in less than three months on the job has tried to bring stability
after a year of controversies and missteps that took place under
Mr. Kalanick, Uber's co-founder. Valued at $68 billion by
investors, Uber has developed a reputation for pushing the limits
of the law in its pursuit of dominating the ride-hailing
market.
As Uber CEO, Mr. Khosrowshahi has inherited several federal
probes of the company over programs targeting rivals and
regulators, as a well as a possible violation of the Foreign
Corrupt Practices Act.
Uber is in a heated legal battle with Google parent Alphabet
Inc., which filed suit in February alleging the company stole trade
secrets related to self-driving cars. And it is trying to recover
from claims by a former female engineer that management ignored
complaints from her and other women of sexism and harassment.
The company has said it is cooperating with federal regulators
in their investigations. It disputes the allegations made by
Alphabet and is contesting the lawsuit in court.
Mr. Khosrowshahi's short reign at Uber has been riddled with
infighting among directors, particularly between Mr. Kalanick and
investor Benchmark Capital over the company's corporate governance.
In the midst of all this, he has spent weeks negotiating a deal for
SoftBank Group Inc. to invest upward of $10 billion in the company
through a direct investments and stake purchases from employees and
other investors.
SoftBank is working to determine a price at which it will offer
to buy billions of shares through a tender offer from existing
investors at a discount to Uber's $68 billion valuation, according
to people familiar with the matter.
Uber disclosed the breach ahead of the tender offer because it
could be considered material to investors, the people said. It's
unclear if SoftBank may use the disclosure as a negotiating chit,
and a spokesman for the Japanese investor declined to comment.
Uber said the data breach happened in October 2016 and Mr.
Kalanick learned of the hack in November 2016. The company said it
took "immediate steps" to secure the data and shut down
unauthorized access while strengthening its security controls. But
Uber said it failed to disclose the breach to authorities,
customers and drivers, and after Mr. Khosrowshahi learned of the
coverup, he ordered an investigation into the circumstances behind
the breach and fired Mr. Sullivan and Mr. Clark.
Uber said it hired Matt Olsen, a cybersecurity expert and former
general counsel of the National Security Agency, to advise the
company and retained FireEye Inc.'s Mandiant to help with security
monitoring.
The ride-hailing company said it is offering free credit
monitoring for affected drivers and additional monitoring for fraud
on the accounts of the customers affected.
Securities and Exchange Commission regulations compel publicly
traded companies to disclose major data breaches. Earlier this year
the SEC launched a probe into Yahoo, now a unit of Verizon
Communications Inc., and whether the company disclosed a major 2014
security breach in a timely manner.But as a privately held company,
Uber is unlikely to be the target of an SEC investigation, said
David Chase, a former SEC enforcement attorney. While the SEC could
investigate any misrepresentations Uber made in connection with a
sale of shares in the company, "the SEC probably would not commit
resources, thinking that a sophisticated investor like SoftBank
could do the required due diligence, " he said.
With no federal data privacy law, Uber's obligation to report
the breach falls under a patchwork of data-breach laws in 48 states
that come with differing and often complex notification
requirements. The laws generally apply if a victim of a hack lives
in that state.
Companies that fail to notify users in a timely manner following
a breach are technically in violation of these laws, but
prosecutions are extremely rare, said Avivah Litan, an analyst with
the industry research firm Gartner Inc.
States "don't have the staff to enforce these laws," Ms. Litan
said.
By failing to give notice of its breach, Uber may be exposing
itself to consumer lawsuits, said Chris Hoofnagle, a University of
California, Berkeley, law professor.
Write to Greg Bensinger at greg.bensinger@wsj.com and Robert
McMillan at Robert.Mcmillan@wsj.com
(END) Dow Jones Newswires
November 22, 2017 02:47 ET (07:47 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.