The news comes on the heels of the ride-hailing company's surprise acknowledgement that hackers had stolen personal data - including names, email addresses, phone numbers and approximately 600,000 driver's license numbers - of 50 million riders and seven million drivers around the world back in October 2016. That's a big number, but we are becoming increasingly numb to this kind of revelation, with all the cyber-leaks now making the news. He also informed that the data disclosed is inclusive of names, email addresses and mobile numbers of Uber users worldwide along with name and licence numbers of over 600,000 USA drivers.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals".
"None of this should have happened, and I will not make excuses for it", he wrote. However, Uber has stated that others, like the outgoing chief legal officer Salle Yoo, didn't know about the breach until its board commissioned an independent investigation into Sullivan's conduct spearheaded by an external law firm, which unearthed the breach and drew it to the public's attention.
On Tuesday, Uber CEO Dara Khosrowashahi revealed in a blog post what the ride-hailing company was hiding from the public since October 2016, i.e., for nearly a year. Within hours of the disclosure, a customer filed a lawsuit seeking class-action status, and New York Attorney General Eric Schneiderman launched an investigation. ("We will learn from our mistakes.") The hacking fallout has already begun. We are changing the way we do business.
The news is another PR disaster for new boss Khosrowshahi, who has already had to deal with Uber losing its private hire licence in London, losing an appeal over drivers' rights in the United Kingdom and falling behind on business travel bookings in the USA compared to its rival, Lyft.
Senate Commerce Committee should hold hearing to demand Uber explain their outrageous breach - and inexplicable delay in informing its consumers and drivers. Uber says that the affected accounts belonging to riders are now monitored and have been additionally updated with extra fraud protection but there's now no official way of finding out if your rider's account has been breached.
James Dipple-Johnstone, deputy commissioner of the information watchdog, said: "Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics".
Uber should comply with formal breach notification procedures outlined in the Data Privacy Act of 2012 or Republic Act. Uber has also fired two employees who were leading the company's response to the 2016 data breach.
"Uber's breach demonstrates once again how developers need to take security seriously and never embed or deploy access tokens and keys in source code repositories", said Chester Wisniewski, Principal Research Scientist at Sophos, a global IT security firm.