Our attorneys are investigating allegations that Uber covered up a massive data breach that occurred in 2016 by paying hush money to the hackers. The hackers stole the names, email addresses, and mobile phone numbers for 57 million Uber users (50 million passengers and 7 million drivers), and 600,000 Uber drivers also had their driver’s license information stolen, according to Uber’s own announcement about the incident.
Was My Information Included in the Uber Breach?
At this time, Uber has not announced how users can tell if their information was affected by the breach. But based on the number of records stolen, it appears that the breach may have compromised the information of every single user who rode with or drove for Uber. Uber reports 40 million active users worldwide, according to statistics from October 2016. But, Uber announced that 53 million users worldwide were affected by the data breach. These numbers seem to indicate that non-active users are also impacted by the breach. It’s possible that even individuals who have not used the app for years still had their information stolen.
It appears Uber can clear up any uncertainty with information in its possession about who was affected. Uber said in a statement about the breach:
We do not believe any individual rider needs to take any action” because “[w]e are monitoring the affected accounts.
How Did the Uber Data Breach Happen?
According to Bloomberg, the hackers were able to get the account credentials (e.g., username and password) for Uber’s Github repository. Github is a site that software engineers use to collaborate on writing software code. From information stored in Uber’s Github repository, the hackers were able to acquire the username and password for Uber’s database of user data stored on Amazon Web Services, a cloud-based service that many companies use to make databases available to employees and business partners through the worldwide web, according to CNN. In terms of the hack itself, Jeremiah Grossman, chief of security strategy at security firm SentinelOne, notes that “this was not a sophisticated hack” (as reported by CNN).
Our firm has substantial experience dissecting the causes of data breaches, as we did in the Anthem data breach litigation, where we helped achieve a $115 million settlement, pending final approval by the Court.
Why Did it Take Uber a Year to Announce the Breach?
Uber employees covered up the hack, according to Reuters:
Uber Technologies Inc paid hackers $100,000 to keep secret a massive breach last year that exposed the data of some 57 million accounts of the ride-service provider.
Discovery of the company’s cover-up of the incident resulted in the firing of two employees who led Uber’s response to the hack…
The two hackers approached Uber with a ransom demand of “$100,000 to delete their copy of the data,” the New York Times reports. After acquiescing to the demand, Uber employees “tracked down the hackers and pushed them to sign nondisclosure agreements,” according to the NYT. According to Uber, the chief security officer concealed the hack from Uber’s board of directors, which discovered the 2016 breach as part of a board investigation into Uber’s business practices. Uber says that it announced the breach after discovering the cover up. “Uber says it obtained assurances the data was destroyed,” after it paid the hackers $100,000, reports CNN.
Did Uber Break the Law by Covering Up the Breach?
While there is no federal law explicitly prohibiting a company from paying ransom to hackers, the FBI released a statement in 2016 saying that companies should not pay ransoms because it “doesn’t guarantee an organization that it will get its data back.” The FBI said it had seen cases where hackers reneged on their promises, despite being paid. Further, the FBI says, “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.”
Uber’s cover up and failure to report the data breach may subject the company to serious legal ramifications. As CNN states:
Forty-eight states have security breach notification laws which require companies to disclose when hackers access private information, including California, where Uber is headquartered.
CNN further reported:
State Attorneys General from New York and Massachusetts have opened investigations into the data breach. In Washington, D.C., Senator Richard Blumenthal urged the Federal Trade Commission to take action against the company and impose ‘significant penalties.’
The FTC says it “promotes data security in the private sector through civil law enforcement,” which includes fines and civil penalties. The FTC states that “[t]he touchstone of the FTC’s approach to data security is reasonableness: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds.”
Our Leadership in Data Breach & Privacy
Our firm has represented plaintiffs in complex lawsuits involving some of the nation’s largest data breaches, including litigation against Anthem, Adobe, Home Depot, Excellus Blue Cross and Blue Shield, and Banner Health, among others. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.
Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. He was court-appointed to the four-member leadership team in the Anthem Data Breach Litigation, which recently settled for $115 million, the largest data breach settlement in history (settlement pending final Court approval). Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.
Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.