(CNN Money) — Uber’s disclosure that hackers accessed the personal information of 57 million riders and drivers last year, a breach it didn’t disclose publicly until Tuesday, adds new potential legal woes for the already troubled company.
At the time of the breach, Uber paid hackers $100,000 to destroy the data and did not tell regulators or users that their information was stolen.
Uber is trying to salvage its reputation following a number of high-profile controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google’s self-driving car division, and a slew of complaints regarding sexual harassment and toxic company culture.
Uber CEO Dara Khosrowshahi said two hackers broke into the company in late 2016 and stole personal data, including phone numbers, email addresses, and names, of 57 million Uber users. Among those, the hackers stole 600,000 driver’s license numbers of drivers for the company.
Khosrowshahi says hackers accessed the data through a third-party, cloud-based service. According to Bloomberg, they got into Uber’s GitHub account, a site many engineers and companies use to store code and track projects. There, hackers found the username and password to access Uber user data stored in an Amazon server.
Jeremiah Grossman, chief of security strategy at security firm SentinelOne, says this was not a sophisticated hack. Companies frequently accidentally keep credentials in source code that is uploaded to GitHub, he said.
The $100,000 payment
Instead of alerting users and authorities to the breach as required by law, Uber paid the hackers $100,000.
Uber says it obtained assurances the data was destroyed.
Law enforcement advises companies to not pay hackers and report breaches to the authorities.
According to Andrea Matwyshyn, professor of law and computer science at Northeastern University, if companies help cyber criminals make money off hacks, they will only continue.
“The problem with viewing this as some sort of simple risk management decision is that it underestimates the basis for an attacker’s business model,” Matwyshyn told CNN Tech. “It doesn’t address the underlying problem in your own organization — your security practices need revision and you’re failing to adequately protect your assets including your own proprietary information, and your customers’ data.”
Paying hackers to return data is common practice. For instance, it’s expected ransomware payments — paying hackers to unlock files after a cyberattack — will top $2 billion this year, according to new research from cybersecurity firm Bitdefender.
Uber’s payoff to prevent hackers from leaking the stolen data is more similar to recent extortion attempts on Netflix and HBO than ransomware campaigns. Hackers threatened to release TV shows unless the companies paid them. Neither firm paid the extortionists.
New legal troubles
Matwyshyn says it’s possible Uber will face consequences from both state and federal agencies.
Forty-eight states have security breach notification laws which require companies to disclose when hackers access private information, including California, where Uber is headquartered.
State Attorneys General from New York and Massachusetts have opened investigations into the data breach.
In Washington, D.C., Senator Richard Blumenthal urged the Federal Trade Commission to take action against the company and impose “significant penalties.”
“Senate Commerce Committee should hold hearing to demand Uber explain their outrageous breach – and inexplicable delay in informing its consumers and drivers,” Blumenthal, a Connecticut Democrat, said in a tweeton Wednesday.
An FTC spokesman said in a statement: “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised.”
In January, Uber agreed to pay $20 million to settle FTC charges it misled drivers about how much they could make using the platform.
The company also settled FTC allegations that it made deceptive privacy and security claims in August. A hacker accessed Uber data on more than 100,000 drivers in May 2014. Further, the FTC said Uber did not properly monitor employee access to customer information.
The agency gave Uber 180 days to obtain an independent audit into its privacy and security practices. Tuesday’s data breach notification falls within that time frame.
Other countries have similar rules regarding breaches. The U.K.’s top data privacy organization slammed Uber on Wednesday.
“If U.K. citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” James Dipple-Johnstone, deputy commissioner of the Information Commissioner’s Office, said in a statement. “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”
The Office of the Australian Information and Privacy Commissioner said it was aware of the hack, and had “commenced inquiries with Uber.”
The Italian Data Protection Authority said it assessing the scale of the breach. “We are dismayed by the poor transparency shown towards users, which we intend to investigate,” authority president Antonello Soro said in a statement.
In the Philippines, the National Privacy Commission summoned local Uber officials to a meeting on Thursday.
Yet another data breach
In terms of scale, Uber’s hack doesn’t measure up to other major breaches. Cyber criminals targeted Equifax earlier this year, compromising the personal information — including names, addresses and social security numbers — of over 145 million people. In 2013, a hack of Yahoo impacted very single account — 3 billion in total.
Former executives from both of these companies have testified in front of Congress in recent months regarding their security failures and the potential risks to consumers.
But Uber’s breach is different — the company tried to cover it up and did not alert authorities or users of the issue.
Consumers might find this latest Uber scandal more troubling than its other legal or public relations problems now that they’re the victims. Fifty-seven million people is a significant chunk of Uber’s user base, which hit 40 million monthly active riders last year.
Grossman says the breach may not change consumer behavior, but it will be costly for the company.
“At best, it will impact their bottom line. The cost of dealing with this — they’re going to have lawsuits and legal fees,” Grossman said.
He also said the disclosure helps get it out in the open so the company can begin moving toward repairing its reputation.
Uber’s future plans
When Khosrowshahi became CEO in August, he inherited a slew of controversial problems. In addition to its legal troubles, Uber has faced criticism for sexual harassment issues, underpaying and deceiving drivers, questioning a rape victim, and surge pricing during times of crisis.
The new CEO wants to improve Uber’s reputation and on Tuesday said, “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Khosrowshahi said the company fired two individuals who led security response. Joe Sullivan, Uber’s chief security officer, is no longer with the company, it said.
CEO Travis Kalanick, who was in charge when the hack took place, is still on the company’s board of directors. While Khosrowshahi is promising change, Kalanick’s place in a leadership role serves as a reminder they are keeping someone who signed off on controversial issues tied to the company.
Uber is expected to go public in 2019.