Uber’s top security official answered to lawmakers Tuesday over the company’s handling of a 2016 security breach that exposed the personal information of 57 million customers and earned its perpetrators a $100,000 payout.
Testifying on Capitol Hill, Uber’s chief information security officer, John Flynn, said there was “no justification” for his company having waited over a year to reveal that hackers breached a customer database in late 2016 and stole the personal information of roughly 57 million riders and drivers, including their names, email addresses and phone numbers.
“The breach should have been disclosed in a timely manner,” Mr. Flynn said in written testimony prepared for his appearance Tuesday before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security.
“I think we made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement,” Mr. Flynn told its members.
Uber’s incoming CEO revealed on Nov. 21 that hackers had breached customer data roughly a year earlier, and subsequent reporting revealed that the perpetrators were compensated through a bug bounty program used to award security researchers for discovering vulnerabilities.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran, Kansas Republican, said during the hearing.
“Senator, there is no justification for that,” said Mr. Flynn. “It was a mistake not to do so.”
Uber has paid about $1.3 million through its bug-bounty program to more than 500 hackers who have discovered over 800 vulnerabilities, Mr. Flynn said Tuesday, including $100,000 offered to the individuals behind the 2016 data breach, Mr. Flynn said Tuesday.
“Uber’s bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats,” Mr. Flynn said in his written remarks.
Sen. Richard Blumenthal, Connecticut Democrat and the subcommittee’s ranking member, took issue with Uber having compensated the hackers behind the massive data breach without promptly alerting victims, however.
“There ought to be no question here that Uber’s payment of this blackmail without notifying consumers who were greatly at risk was morally wrong and legally reprehensible and violated not only the law but the norm of what should be expected,” said Mr. Blumenthal.
Dara Khosrowshahi, Uber’s current CEO, previously said he authorized an investigating into the data breach after learning about the incident upon taking the company’s reins in August.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he said at the time.
The breach is currently being reviewed by attorneys general in several states as well as multiple foreign regulators.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.