Uber Data Breach Lawsuit Investigation

At this time, Uber has not announced how users can tell if their information was affected by the breach. But based on the number of records stolen, it appears that the breach may have compromised the information of every single user who rode with or drove for Uber. Uber reports 40 million active users worldwide, according to statistics from October 2016. But, Uber announced that 53 million users worldwide were affected by the data breach. These numbers seem to indicate that non-active users are also impacted by the breach. It’s possible that even individuals who have not used the app for years still had their information stolen.

It appears Uber can clear up any uncertainty with information in its possession about who was affected. Uber said in a statement about the breach:

We do not believe any individual rider needs to take any action” because “[w]e are monitoring the affected accounts.

According to Bloomberg, the hackers were able to get the account credentials (e.g., username and password) for Uber’s Github repository. Github is a site that software engineers use to collaborate on writing software code. From information stored in Uber’s Github repository, the hackers were able to acquire the username and password for Uber’s database of user data stored on Amazon Web Services, a cloud-based service that many companies use to make databases available to employees and business partners through the worldwide web, according to CNN. In terms of the hack itself, Jeremiah Grossman, chief of security strategy at security firm SentinelOne, notes that “this was not a sophisticated hack” (as reported by CNN).

Our firm has substantial experience dissecting the causes of data breaches, as we did in the Anthem data breach litigation, where we helped achieve a $115 million settlement, pending final approval by the Court.

Uber employees covered up the hack, according to Reuters:

Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach last year that exposed the data of some 57 million accounts of the ride-service provider.

Discovery of the company’s cover-up of the incident resulted in the firing of two employees who led Uber’s response to the hack…

The two hackers approached Uber with a ransom demand of “$100,000 to delete their copy of the data,” the New York Times reports. After acquiescing to the demand, Uber employees “tracked down the hackers and pushed them to sign nondisclosure agreements,” according to the NYT. According to Uber, the chief security officer concealed the hack from Uber’s board of directors, which discovered the 2016 breach as part of a board investigation into Uber’s business practices. Uber says that it announced the breach after discovering the cover up. “Uber says it obtained assurances the data was destroyed,” after it paid the hackers $100,000, reports CNN.

While there is no federal law explicitly prohibiting a company from paying ransom to hackers, the FBI released a statement in 2016 saying that companies should not pay ransoms because it “doesn’t guarantee an organization that it will get its data back.” The FBI said it had seen cases where hackers reneged on their promises, despite being paid. Further, the FBI says, “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.”

Uber’s cover up and failure to report the data breach may subject the company to serious legal ramifications. As CNN states:

Forty-eight states have security breach notification laws which require companies to disclose when hackers access private information, including California, where Uber is headquartered.

CNN further reported:

State Attorneys General from New York and Massachusetts have opened investigations into the data breach. In Washington, D.C., Senator Richard Blumenthal urged the Federal Trade Commission to take action against the company and impose ‘significant penalties.’

The FTC says it “promotes data security in the private sector through civil law enforcement,” which includes fines and civil penalties. The FTC states that “[t]he touchstone of the FTC’s approach to data security is reasonableness: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds.”