Uber: We had “no justification” for covering up data breach
In written testimony, John Flynn, Uber’s chief information security officer, told a Senate committee that “it was wrong not to disclose the breach earlier.”
Flynn and representatives from security firms appeared as part of a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security.
The company did not make the breach known until November 2017, when the new CEO, Dara Khosrowshahi, announced it. Fifty-seven million customers’ and drivers’ names, email addresses, and phone numbers were compromised—but no trip location info, credit card information, or Social Security numbers were taken.
As a result of the episode, Uber has been hit by numerous lawsuits that remain ongoing.
Initially, Uber kept the episode quiet and paid the hackers $100,000 as part of its bug bounty program—a tactic that is not typical of similar bounty programs at other firms.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran, a Republican senator from Kansas, said at the start of the hearing, according to Bloomberg.
Flynn’s testimony came the same day that Uber’s co-founder, Travis Kalanick, appeared in a San Francisco courtroom to testify in the Waymo v. Uber trade secrets trial.