The ride-hailing service faces lawsuits, state investigations and a federal criminal probe over a $100,000 payment to a hacker in a case that put the information of 57 driver and rider accounts at risk.
The email resembled other messages that Joe Sullivan, Uber’s chief security officer, received in the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems. Yet the note and Uber’s $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have turned into a public relations debacle for the company, the New York Times reports. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, chief executive Dara Khosrowshahi, called it a “failure” that it had not notified people earlier. Sullivan and a security lawyer were fired.
Not only did Uber pay an outsize amount to the hacker, but it also did not disclose for a year that it had briefly lost control of so much consumer and driver data. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the U.S. Attorney in San Francisco has begun a criminal investigation. The hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law.