The massive 2016 breach disclosed by Uber last week has triggered questions on Capitol Hill, with Sen. Mark Warner (D-Va.) demanding answers from company leadership on its response to the incident.
“I write to you with grave concerns about your company’s handling of a breach impacting millions of your users and hundreds of thousands of your drivers,” Warner wrote in a letter to Uber CEO Dara Khosrowshahi on Monday.
{mosads}Separately, leaders of the Senate Finance and Commerce Committees wrote to Khosrowshahi requesting information on the circumstances surrounding the data breach.
Uber revealed last week that hackers in late 2016 gained access to information, including email addresses and mobile phone numbers, on 57 million of its riders and drivers by breaching a third-party, cloud-based account. The company, which at the time was headed by ex-CEO Travis Kalanick, reportedly tried to cover up the breach by paying hackers $100,000 to destroy the stolen files.
Warner sounded the alarm over the revelations on Monday, saying that the company may have run afoul of federal and state regulations by failing to disclose the breach to customers until now. The company is already facing multiple investigations by state attorneys general, including those in New York and Massachusetts.
“While Uber reportedly learned of the breach in November 2016 … Uber decided not to inform either passengers or drivers of the breach until last week,” Warner wrote.
“Even more disturbingly, Uber is reported to have shared information concerning the breach with a potential investor weeks prior to alerting regulators or affected drivers and passengers, as required under numerous state data breach laws,” he wrote, citing reports that Uber discussed the breach with SoftBank, a prospective investor, before acknowledging the incident to the public.
“I have long championed the innovation and potential of the on-demand economy. However, Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations,” Warner wrote.
Khosrowshahi, who says he only recently became aware of the breach, has launched an investigation into the company’s handling of the incident. Khosrowshahi replaced Kalanick as CEO in August.
Warner asked her to respond to a number of questions, including who conducted the initial investigation into the breach, what rationale was behind the decision to pay the hackers and why Uber did not have stronger security protocols on the third-party cloud service provider account that was breached by hackers.