Senators raise questions about Uber’s response to reported 2015 data breach

Amid reports that Uber paid hackers $100,000 to delete customer information that was obtained in a data breach, a group of senators raised questions on Monday about the alleged breach and the company’s response.

© Shutterstock

In a letter to Uber CEO Dara Khosrowshahi, the senators questioned whether Uber followed its internal incident response plan and whether it appropriately disclosed a data breach that reportedly compromised the personal information of 57 million customers.

“The company maintains that its outside forensic experts have not seen any indication that customer trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded,” the letter stated. “Nevertheless, the nature of the information currently acknowledged to have been compromised, together with the allegation that the company concealed the breach without notifying affected drivers and consumers, and prior privacy concerns at Uber, makes this a serious incident that merits further scrutiny.”

The letter, which was signed by U.S. Sens. John Thune (R-SD), Orrin Hatch (R-UT), Jerry Moran (R-KS) and Bill Cassidy (R-LA), notes that an outside law firm commissioned by Uber’s board of directors uncovered the 2015 data breach.

The letter also notes that Uber entered into a consent order with the Federal Trade Commission (FTC) in August 2017 in response to the company’s privacy and data security standards.

“Among other things, the order prohibits Uber from misrepresenting the extent to which it protects the privacy, confidentiality, security or integrity of any personal information,” the letter stated. “The order also requires Uber to implement a comprehensive program to protect the privacy and confidentiality of the personal information it collects and maintains.”

The senators posed 11 questions including when Uber first learned about the data breach, how many customers were affected, what types of data were compromised, what regulators were notified, and what steps were taken to mitigate potential harm to consumers whose information was comprised.

The letter requests a response from the company no later than Dec. 11.