Luján and Schakowsky Urge Senators to Re-examine Uber Data Breach

Lawmakers say Uber’s year-long cover-up of data breach affecting 57 million customers warrants closer look

[WASHINGTON, DC] – Congressman Ben Ray Luján (D-NM) and Congresswoman Jan Schakowsky, both of whom are members of the House Subcommittee on Digital Commerce and Consumer Protection, today sent a letter to the Chairman and Ranking Member of the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security regarding Uber’s concealment of its 2016 data breach from the Federal Trade Commission (FTC) as it negotiated a separate consent agreement with the FTC for an earlier breach.

This letter comes in advance of the Senate subcommittee’s hearing focused on the Uber breach, which will take place tomorrow, February 6, 2018. In the letter, Reps. Schakowsky and Lujan highlighted their earlier request, made to the FTC at the end of December 2017, that the agency “reopen the consent agreement and reevaluate the adequacy of the remedies imposed in light of Uber’s actions”.

In their letter to Senators Moran and Blumenthal, Reps. Schakowsky and Lujan lay out the timeline of Uber’s year-long cover-up of a data breach that affected 57 million customers and drivers. In the letter, the Members explain that in the intervening year between when Uber’s security team found out about the breach and when they reported it to the FTC, “as Uber employees were arranging a $100,000 ransom to recover the data and keep the 2016 breach quiet, the FTC was investigating a smaller 2014 data breach and actively negotiating a settlement with Uber regarding that 2014 breach.”

According to Reps. Schakowsky and Lujan, “Uber’s concealment of critical facts as it negotiated with the FTC is extremely concerning.” The Members ended their letter urging the Senators to “explore what appears to be serious misconduct by Uber to hide information that would likely have resulted in stronger sanctions in the FTC enforcement action.”

The full text of the letter follows:

February 5, 2018

The Honorable Jerry Moran
Chairman
Subcommittee on Consumer Protection,
Product Safety, Insurance, and Data Security
Committee on Commerce, Science, and Transportation
512 Dirksen Senate Office Building
Washington, DC 20510

The Honorable Richard Blumenthal
Ranking Member
Subcommittee on Consumer Protection,
Product Safety, Insurance, and Data Security
Committee on Commerce, Science, and Transportation
716 Hart Senate Office Building
Washington, DC 20510

Dear Chairman Moran and Ranking Member Blumenthal:

We are writing in advance of your hearing titled “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers” to call your attention to Uber’s concealment of its 2016 data breach from the Federal Trade Commission (FTC) as it negotiated a consent agreement with the FTC for an earlier breach.  We believe that Uber must be held accountable for withholding this information from the FTC.  We recently sent a letter to the FTC urging the agency to reopen the consent agreement and reevaluate the adequacy of the remedies imposed on Uber for privacy violations.  We have attached a copy of our letter to the FTC for your reference.

Many facts about Uber’s year-long cover-up of a breach that affected 57 million customers and drivers are still unknown.  We do know, however, that the breach occurred in October 2016, Uber’s security team became aware of it in November 2016, and Uber did not notify the FTC until a year later, on November 21, 2017. During that intervening year, as Uber employees were arranging a $100,000 ransom to recover the data and keep the 2016 breach quiet, the FTC was investigating a smaller 2014 data breach and actively negotiating a settlement with Uber regarding that 2014 breach.  Uber signed a consent agreement with the FTC on August 15, 2017, without ever informing the agency of the second, much larger breach—one that resulted from a failure to correct the very security vulnerabilities that the FTC investigation of the 2014 breach exposed.

It remains unclear who within the company was aware of the breach for the year preceding disclosure to the FTC.  Uber has indicated that two employees were fired for “failing to disclose the incident to the appropriate parties,” implying that the breach was not widely known within the company. But it now appears that Uber’s former CEO, the legal and communications departments, and as many as 50 engineers may have been involved. Uber’s response to the breach was even praised in end-of-year performance reviews of security personnel.  It defies credulity that there was not at least some overlap between those aware of the 2016 breach and those responding to the FTC investigation of the 2014 breach.  Uber’s concealment of critical facts as it negotiated with the FTC is extremely concerning.

Thank you to your Committee for bringing attention to this important issue.  We urge you to explore what appears to be serious misconduct by Uber to hide information that would likely have resulted in stronger sanctions in the FTC enforcement action.

Sincerely,

Jan Schakowsky                                                                                    Ben Ray Luján
Ranking Member, Subcommittee                                                    Member, Subcommittee on Digital
on Digital Commerce & Consumer Protection                             Commerce & Consumer Protection