Luján and Schakowsky Urge Federal Trade Commission to Scrutinize Uber's Handling of Data Breach Involving 57 Million Customers
[WASHINGTON, DC] – Reps. Ben Ray Luján (D-NM) and Jan Schakowsky (D-IL) this week sent a letter to the Chairman of the Federal Trade Commission (FTC) expressing significant concerns regarding Uber’s privacy and security practices. Earlier this year, Uber and the federal government reached an agreement to address privacy and data security violations. However, while the company was negotiating this settlement, it was also concealing a massive data breach involving more than 57 million consumers and Uber drivers.
The lawmakers’ letter urges the FTC to consider reopening the case and re-evaluate the adequacy of the remedies imposed on Uber in the settlement. In the letter, Luján and Schakowsky wrote:
“We write to express our concern regarding recent revelations that Uber Technologies, Inc. was actively concealing a massive data breach at the same time it was negotiating a settlement with the Federal Trade Commission (FTC) for poor privacy and data security practices.
Instead of notifying law enforcement and the public of the breach, Uber paid the hackers a $100,000 ransom in exchange for an agreement to destroy the stolen information and keep the incident secret. Uber took steps to conceal the incident by pushing the hackers to sign nondisclosure agreements and disguising the ransom as legitimate payments from a bug bounty program. . . At the same time that Uber was covering up the 2016 breach, the company was negotiating a consent agreement with FTC to address earlier privacy and data security violations.
Uber's conduct indicates a troubling pattern of disregard for accountability and transparency with respect to its handling of users’ personal information . . . Uber has also repeatedly deceived the public about its privacy practices.”
Lujan and Schakowsky also posed a series of detailed questions regarding Uber’s past actions and asked the FTC to provide them with an official briefing on the matter.
Full text of the letter is below:
December 21, 2017
Maureen K. Ohlhausen
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580
Dear Acting Chairman Ohlhausen:
We write to express our concern regarding recent revelations that Uber Technologies, Inc. was actively concealing a massive data breach at the same time it was negotiating a settlement with the Federal Trade Commission (FTC) for poor privacy and data security practices. In light of this new information, we ask that you consider reopening the public comment period and reevaluate the adequacy of the remedies imposed on Uber in the proposed settlement.
On November 21, 2017, Uber disclosed for the first time that the personal information of 57 million Uber riders and drivers had been stolen by hackers in late 2016. Instead of notifying law enforcement and the public of the breach, Uber paid the hackers a $100,000 ransom in exchange for an agreement to destroy the stolen information and keep the incident secret. Uber took steps to conceal the incident by pushing the hackers to sign nondisclosure agreements and disguising the ransom as legitimate payments from a bug bounty program.
At the same time that Uber was covering up the 2016 breach, the company was negotiating a consent agreement with FTC to address earlier privacy and data security violations. FTC announced the proposed consent on August 15, 2017, before the 2016 breach was made public and presumably without considering the massive scale of the 2016 breach and Uber’s cover-up in deciding what remedies were needed to adequately protect consumers. The proposed consent relates to a smaller 2014 breach affecting the personal information of more than 100,000 Uber drivers. FTC’s administrative complaint charged Uber only with deceptive practices for making false and misleading statements about its privacy policies. Unlike other recent FTC data security cases, the Uber complaint did not include any charges that the company engaged in unfair practices for failing to adequately protect the information it collected. The proposed administrative consent prohibits Uber from misrepresenting its privacy policies and requires Uber to implement specific steps to enhance its privacy protections and submit to third party auditing. The consent did not include any monetary relief.
Uber's conduct indicates a troubling pattern of disregard for accountability and transparency with respect to its handling of users’ personal information. In a statement responding to the proposed agreement, Uber claimed it had “significantly strengthened [its] privacy and data security practices” since 2014. But both the 2014 and 2016 breaches occurred because Uber left employee login credentials exposed in code posted on Github, an online code-sharing repository.
Uber has also repeatedly deceived the public about its privacy practices. The proposed consent agreement addresses Uber’s use of a tool known as “God View” to secretly track users without proper notice or oversight. But it does not address the use of another tool known as “Greyball” used to secretly track and evade regulators, which was only disclosed by Uber after a New York Times investigation in March 2017.
Dara Khosrowshahi, Uber’s new C.E.O. as of August 2017, has since made some changes at Uber in an attempt to distance the company from its previous misconduct, branding it “Uber 2.0.” However, larger questions remain about Uber’s commitment to meaningfully reforming its leadership and company culture. Only two Uber employees were fired in response to the 2016 breach and subsequent cover-up. Furthermore, Travis Kalanick, Uber’s cofounder and C.E.O. until June 2017, still controls a majority of Uber’s voting shares and three seats on the company’s board of directors. Mr. Kalanick reportedly knew of the 2016 breach and Uber’s payments through the bug bounty program since November 2016.
Uber's decision to keep the 2016 breach secret for nearly a year raises serious concerns about whether Uber was negotiating with FTC in good faith, and about whether the company has the intention and ability to properly administer the proposed consent. I therefore request a briefing on this matter with my staff and Committee staff. Please be prepared to discuss the following questions.
1. When did Uber first inform FTC of the 2016 breach and Uber’s response? Was FTC aware of the 2016 breach and Uber’s response when the Commission approved the proposed consent in August 2017?
2. It is our understanding that at least 20 Uber employees, as well as the C.E.O., were aware of the 2016 breach at the time Uber was negotiating with FTC. Given this, was the termination of only two employees in response to the 2016 breach sufficient to ensure the culture has changed and that Uber is likely to comply with the proposed consent?
3. Did Uber fail to comply with the terms of any civil investigative demand by withholding documents, information, or other relevant evidence related to FTC’s investigation, including any evidence related to the 2016 breach and the company’s response?
4. Did Uber violate any laws or regulations, including provisions related to preservation of records or making false statements, by destroying any evidence, by failing to disclose the 2016 breach and its response to that breach in the course of FTC’s investigation, or any other action?
5. Is FTC conducting a separate investigation of Uber’s “Greyball” tool? Did the Commission consider Uber’s use of the “Greyball” tool when voting to approve the proposed consent?
6. Given that the 2014 breach involved personal information from over 100,000 Uber drivers including, for a subset of those drivers, Social Security number and bank account numbers, why did FTC not challenge the breach as both deceptive and unfair?
7. Has the Commission considered whether consumers would be better served if the Commission reopened its case against Uber and issued a new complaint in federal court, under Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), that would include new charges on the 2016 breach and cover-up and seek broader remedies, including monetary relief?
Your assistance in this matter is greatly appreciated.
Ben Ray Luján
Subcommittee on Digital Commerce and Consumer Protection
Subcommittee on Digital Commerce and Consumer Protection
 Uber Technologies, Inc., 2016 Data Security Incident (Nov. 21, 2017) (press release).
Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data, New York Times (Nov. 21, 2017).
Federal Trade Commission, Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims (Aug. 15, 2017) (press release).
 See, e.g.,FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (Aug. 24, 2015) (company’s failure to maintain reasonable data security for sensitive personal information resulting in breach fell within the plain meaning of an “unfair” act or practice in violation of Section 5 of FTC act).
 See note 4.
See note 4.
Uber Agrees to 20 Years of Privacy Audits to Settle FTC Data Mishandling Probe, TechCrunch (Aug. 15, 2017).
Uber Hack Shows Vulnerability of Software Code-Sharing Services, Bloomberg (Nov. 22, 2017); Uber Paid Hackers to Delete Stolen Data on 57 Million People, Bloomberg (Nov. 21, 2017).
Uber Agrees to Privacy Audits in Settlement with F.T.C., New York Times (Aug. 15, 2017).
Uber Settles U.S. Allegations Over Data Privacy, Reuters (Aug. 15, 2017); How Uber Deceives the Authorities Worldwide, New York Times (Mar. 3, 2017).
Uber 2.0: New C.E.O. Wants to Put His Stamp on the Company, New York Times (Nov. 9, 2017).
See note 2.
In Power Move at Uber, Travis Kalanick Appoints 2 to Board, New York Times (Sep. 29, 2017); Uber Founder Travis Kalanick Resigns as C.E.O., New York Times (Jun. 21, 2017),
Exclusive: Uber Paid 20-Year-Old Florida Man to Keep Data Breach Secret –Sources, Reuters (Dec. 6, 2017).
Next Article Previous Article