Testifying in front of Congress on Tuesday, Uber CIO John Flynn said that there was "no justification" for the company covering up a massive 2016 breach by hackers from Canada and Florida which affected 57 million accounts.
"I think we made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement," said Flynn.
The CIO also said that it was inappropriate to have paid one of the hackers $100,000 through a "bug bounty" program to destroy the stolen data. The bounty program offers financial rewards to anyone who identifies vulnerabilities.
Flynn confirmed the man who obtained data from Uber was in Florida and that his partner, who first contacted the company on Nov. 14, 2016, to demand a six-figure payment, was located in Canada. The company’s security team made contact with both people and received assurances the pilfered data had been destroyed before paying the intruders $100,000, Flynn said. -Reuters
“We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” Flynn said in his written testimony. “The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed.”
Of the 57 million user accounts were compromised last November, 25 million were located in the United States. Of those, 4.1 million were Uber drivers, according to Flynn's testimony. The hackers were able to obtain names, addresses and drivers license numbers.
Lawmakers on the Senate Commerce consumer protection subcommittee railed against the company over how it handled the breach.
“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said subcommittee chairman Sen. Jerry Moran (R-KS).
“There ought to be no question here that Uber’s payment of this blackmail without notifying consumers who were greatly at risk was morally wrong and legally reprehensible and violated not only the law but the norm of what should be expected,” added Sen. Richard Blumenthal (D-CT).
Blumenthal also noted that Uber was in the process of negotiating a settlement with the Federal Trade Commission over an earlier, smaller breach and charges of deceptive privacy claims - while covering up the giant breach from November 2016.