Uber, quit shoveling money into the fire for one second and explain that hack – US senators

Lawmakers wonder if biz known for regulatory contempt flouted rules

Uber office in San Francisco

Five US senators on Monday asked ersatz taxi biz and lawsuit magnet Uber to provide more details about how it allowed hackers in 2016 to pilfer personal information for 57 million customers and drivers.

The data theft, revealed last week and not to be confused with a May 2014 security blunder, led to a $100,000 bung to the hackers – disguised as a bug bounty payment – in exchange for destroying the copied records and keeping silent... to protect Uber's image. It also led to the ousting of Uber's security chief Joe Sullivan and Craig Clark, legal director of security and law enforcement.

Uber's recently appointed CEO Dara Khosrowshahi issued a statement on November 21 about this latest lapse, which occurred before his arrival. "None of this should have happened, and I will not make excuses for it," he said. "While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."

There's no shortage of mistakes from which Uber may be able to create a corrective curriculum. Senators John Thune (R-SD), Orrin Hatch (R-UT), Jerry Moran (R-KS), and Bill Cassidy (R-LA) in a joint letter pointed to an August 2017 settlement with the US government's Federal Trade Commission that was supposed to resolve deceptive privacy and data security practices.

"Our goal is to understand what steps Uber has taken to investigate what occurred, restore and maintain the integrity of its systems, and identify and mitigate potential consumer harm and identity theft-related fraud against Federal programs," their letter stated.

Toward that end, the concerned four asked what Uber knew about the incident and when, the details of the reported covert payment, which regulators were informed, how Uber aims to mitigate consumer harm, and the steps the company has taken to meet its promises to the FTC.

Another senator, Mark Warner (D-VA), sent his own demand for information with more adversarial questions.

He asked why more robust protection, such as multi-factor authentication, wasn't used to protect the Uber AWS account that got pwned. He also inquired how Uber could be sure the stolen data had been deleted, how senior executives rationalized covering up the incident, and why the data loss was disclosed to potential investors but not customers and drivers.

In addition, Warner questioned how Uber tracked down the hackers, raising the possibility that the company may have violated the Computer Fraud and Abuse Act. "As you know, no private right exists for companies to 'hack back' those who compromise their systems," he wrote.

Uber also faces scrutiny from several states; almost every state in the US has some form of data breach notification law. The cash-burning profit-free, San Francisco-based upstart did not respond to a request for comment. ?

Stop press: The US state of Illinois and the city of Chicago have sued Uber alleging fraud and deceptive business practices regarding last year's hacking.


Biting the hand that feeds IT ? 1998–2017

                                    1. 3239961348 2018-02-21
                                    2. 8189611347 2018-02-21
                                    3. 1166571346 2018-02-21
                                    4. 905911345 2018-02-21
                                    5. 238301344 2018-02-21
                                    6. 9856121343 2018-02-21
                                    7. 7107891342 2018-02-21
                                    8. 616201341 2018-02-21
                                    9. 97671340 2018-02-21
                                    10. 7844621339 2018-02-21
                                    11. 9607131338 2018-02-21
                                    12. 3095441337 2018-02-21
                                    13. 9602111336 2018-02-21
                                    14. 5723751335 2018-02-21
                                    15. 1275371334 2018-02-21
                                    16. 8517591333 2018-02-21
                                    17. 230661332 2018-02-21
                                    18. 3311101331 2018-02-21
                                    19. 6181321330 2018-02-20
                                    20. 6139401329 2018-02-20