Uber breach scrutinized in Senate on both sides of the aisle

Senators on both sides of the aisle are demanding answers from Uber over its handling of the 2016 data breach that compromised the personal information of more than 57 million users of its mobile ride-sharing app.

In separate letters sent Monday, four Republicans and a Democrat asked Uber CEO Dara Khosrowshahi for additional information about the recently disclosed security breach and the company’s response, particularly with respect to news reports indicating it paid the perpetrators $100,000 to keep the incident under wraps.

“Our goal is to understand what steps Uber has taken to investigate what occurred, restore and maintain the integrity of its systems and identify and mitigate potential consumer harm and identity theft-related fraud against Federal programs,” Republican Sens. John Thune of South Dakota, Orin Hatch of Utah, Jerry Moran of Kansas and Bill Cassidy of Louisiana wrote in the GOP letter.

“Did Uber authorize payments to outside parties in connection with the incident?” they asked in the letter. “If so, please provide additional details, including the amounts, dates, method of transfer, as well as the purpose of such payments, including whether the purpose of such payments was, even in part, to conceal the incident itself.”

Sen. Mark Warner, Virginia Democrat, raised similar concerns in a letter of his own.

“What rationale was provided by senior executives for covering up this breach?” Mr. Warner asked, adding that he has “grave concerns” over Uber’s handling of the incident.

“I have long championed the innovation and potential of the on-demand economy. However, Uber’s conduct raises serious questions about the company’s compliance with relevant state and federal regulations,” Mr. Warner wrote.

Mr. Khosrowshahi said in a Nov. 21 blog post that hackers breached a third-party service used by Uber in late 2016 and stole the names, email addresses and mobile phone numbers of 57 million users, among other data.

Uber “subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” Mr. Khosrowshahi wrote in the blog post. Multiple outlets have since reported that those assurances were obtained by paying the responsible hackers $100,000 in hush money.

The breach happened before Mr. Khosrowshahi took the reins of Uber in August, and he fired two former employees implicated in the company’s response upon becoming aware of their role, he said in the blog post.

The Republicans’ letter contains 11 questions for Mr. Khosrowshahi regarding the breach and requests a response by Dec. 11. Mr. Warner’s letter contains six questions but lacks a deadline.

“We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers,” Uber said in a statement Monday.