Reps. Jan Schakowsky (D-Ill.) and Ben Ray Luján (D-N.M.), both of whom are members of the House Subcommittee on Digital Commerce and Consumer Protection, on Monday sent a letter to the Chairman and Ranking Member of the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security regarding Uber’s concealment of its 2016 data breach from the Federal Trade Commission (FTC) as it negotiated a separate consent agreement with the FTC for an earlier breach.
This letter came in advance of the Senate subcommittee’s hearing focused on the Uber breach. In the letter, Reps. Schakowsky and Lujan highlighted their earlier request, made to the FTC at the end of December 2017, that the agency “reopen the consent agreement and reevaluate the adequacy of the remedies imposed in light of Uber’s actions.”
In their letter to Senators Moran and Blumenthal, Reps. Schakowsky and Lujan laid out the timeline of Uber’s year-long cover-up of a data breach that affected 57 million customers and drivers.
In the letter, the legislators explain that in the intervening year between when Uber’s security team found out about the breach and when they reported it to the FTC, “as Uber employees were arranging a $100,000 ransom to recover the data and keep the 2016 breach quiet, the FTC was investigating a smaller 2014 data breach and actively negotiating a settlement with Uber regarding that 2014 breach.”
According to Reps. Schakowsky and Lujan, “Uber’s concealment of critical facts as it negotiated with the FTC is extremely concerning.” The Members ended their letter urging the Senators to “explore what appears to be serious misconduct by Uber to hide information that would likely have resulted in stronger sanctions in the FTC enforcement action.”
At the Senate hearing on Tuesday, Uber Chief Information Security Officer John Flynn acknowledged that it was a mistake to not notify users. This position was reiterated in a written testimony.
“First, I would like to echo statements made by new leadership, and state publicly that it
was wrong not to disclose the breach earlier. The breach should have been disclosed in a timely manner,” wrote Flynn.
Uber paid the hacker to delete the files using money from a bug bounty program, which incentivizes so-called white hat or ethical hackers to alert companies of security flaws that companies can then fix independently.