Uber was hacked last year, the company disclosed yesterday. Two hackers stole the contact information for 57 million people and the driver’s-license numbers for 600,000 drivers. In the hierarchy of data value, this stuff is not high up on the list. And the breadth of the hack also pales in comparison to other recent breaches at Yahoo and Equifax.
But it’s what happened after the hack that is drawing condemnation. Uber did not report the breach to regulators, as new CEO Dara Khosrowshahi now acknowledges they should have. And then they paid $100,000 to the hackers to keep quiet. And then they tried to make it seem as if the payment was a “bug bounty” paid as part of their normal security-testing operations, The New York Times reported. The hackers were even asked to sign nondisclosure agreements.
It’s pretty ugly.
While it is widely acknowledged that companies (and civic entities) pay ransoms to hackers, it is considered poor form. It’s also poor form—as well as possibly illegal—not to notify victims of data breaches. And it’s also poor form to essentially fake a bug bounty.
In one version of this narrative, this can all be laid at the feet of Travis Kalanick, the deposed ruler of Uber who retains a board seat himself and a few other seats stuffed with his handpicked members.