After an Uber data breach, new CEO Dara Khosrowshahi makes a disappointingly incomplete statement

Photo: Dara Khosrowshahi, by George Grinsted via Flickr

Hackers stole information on 600,000 Uber drivers and 57 million riders in 2016. The company paid $100,000 to the hackers to delete the data, but didn’t inform the affected people until now. New Uber CEO Dara Khosrowshahi’s remorseful apology is far clearer than Uber’s past statements, but never mentions the ransom.

These are the facts, according according to Eric Newcomer’s article on Bloomberg News: In October 2016, two people stole information on 57 million Uber drivers and customers by accessing data someone at Uber had stored in an Amazon Web Services account. The stolen data included names and driver’s license numbers, but not Social Security Numbers, credit card numbers, or details of trips they took. Uber failed to report the breach as obligated by law. With the complicity of its chief Security Officer, Joe Sullivan, Uber paid the hackers $100,000. Khosrowshahi just asked Sullivan to resign, and he did.

The Dara Khosrowshahi statement is clear, but omits key details

After Uber founder Travis Kalanick resigned, new CEO Khosrowshahi set about remaking the company’s toxic culture. Here’s Khosrowshahi’s statement about the breach, published yesterday. I’ll highlight the weasel words and add commentary and a more honest translation.

2016 Data Security Incident

Written by Dara Khosrowshahi

As Uber’s CEO, it’s my job to set our course for the future, which begins with building a company that every Uber employee, partner and customer can be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes.

Commentary: Although Khosrowshahi wants to set a tone of transparency, the title of his statement calls the breach an “incident,” rather than what it is: a theft.

Translation: For Uber to survive, I need you to believe that I am fixing Uber’s culture of lying, cheating, and covering up its mistakes.

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. However, the individuals were able to download files containing a significant amount of other information, including:

  • The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
  • Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.

Commentary: Khosrowshahi does not say how long he has been continuing to hide the information since finding out about it (“recently”). Calling this “significant” minimize the impact. Khosrowshahi’s description of the incident can at best say what Uber hopes the hackers didn’t get, and he vaguely refers to “some” personal information without specifying all what the hackers stole. He does reveal the details of what was stolen, but that is required by law.

Translation: Hackers stole the names and driver’s license numbers of 600,000 drivers and other information, some of which I won’t tell you about, on 57 million riders. As far as I know, they didn’t get your financial details or Social Security numbers.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

Commentary: This sounds strong but is vague. It doesn’t describe the steps Uber took, which apparently included a huge payoff to the thieves. How much should we trust these “assurances” or the newly strengthened security procedures?

Translation: We paid $100,000 to the thieves and they promise that they deleted the data. We changed the passwords on our accounts and fired our head of security. We won’t be storing passwords on GitHub accounts any more.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it. What I learned, particularly around our failure to notify affected individuals or regulators last year, has prompted me to take several actions:

  • I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
  • We are individually notifying the drivers whose driver’s license numbers were downloaded.
  • We are providing these drivers with free credit monitoring and identity theft protection.
  • We are notifying regulatory authorities.
  • While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.

Translation: I got handed this disaster, it’s not my fault. I fired two guys (you can find their names in the articles, but I won’t say who), and brought in somebody who ought to know what he’s doing. And we are finally doing what we should have done a year ago: informing authorities, making a public statement, and telling the affected drivers and riders about their data being stolen.

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

Translation: My excuse for what happened is that it happened before I got here. Despite my promises of honesty, my statement doesn’t include the names of the people I fired or the fact that we paid the thieves $100,000. Even so, please support me as I clean up the mess that is our company.

Is Uber better now?

I want to believe Dara Khosrowshahi. He’s trying to be the irresistible force that moves the immovable object that is Uber’s consistent bad behavior. And to be fair to him, this breach and the coverup happened before he got there.

That said, his statement omits key facts and minimizes the problem by calling it an “incident” rather than a “breach.” A more honest CEO would be even more direct.

Can things get any better? We’ll be watching. And I’m not cutting Khosrowshahi any slack — he doesn’t get held to a lower standard just because he works for Uber.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.