Earlier this month, newly minted Uber CEO Dara Khosrowshahi made his first high-profile public appearance when he sat down for an interview with the New York Times’s Andrew Ross Sorkin. Speaking in dulcet tones, Khosrowshahi laid out his vision for making Uber’s workplace culture more inclusive, for building out the product, working with regulators who famously chafed at some of the policies of his predecessor, while also discussing his relationship with Uber’s board members, including former CEO and founder Travis Kalahnick.
Or course, whatever goodwill Khosrowshahi earned from that public-relations coup quickly dissipated earlier this week when he disclosed that hackers had stolen personal data from some 57 million accounts in October 2016 – one year earlier. Furthermore, he admitted that Uber – under Kalanick’s orders – paid the hackers a $100,000 bribe to delete the data, which they said they did. Compromised data from the October 2016 attack included names, email addresses and phone numbers of over 50 million Uber riders around the world, the company told Bloomberg on Tuesday.
The personal information of about 7 million drivers were accessed as well, including some 600,000 U.S. driver’s license numbers.
Khosrowshahi has apologized for the delay, and promised to conduct a thorough investigation (keep in mind, this isn’t the only fiasco he’s dealing with: Uber is still struggling to convince London’s taxi regulator to reinstate its license, and is also facing at least one federal probe into its use of specially designed software to circumvent law enforcement).
Still, the Wall Street Journal has learned that Khosrowshahi learned of the hack just two weeks after taking over on Sept. 5.
So why did he sit on the information for two whole months? In the state of California, where Uber is based, companies must disclose “material” information to investors within a two-month window. According to Khosrowshahi’s own admission, the company appears to have violated these rules.
While the massive data breach at Uber Technologies Inc. didn’t happen under the watch of its new chief executive, more than two months elapsed before he notified affected customers and drivers of the incident, people familiar with the matter said.
CEO Dara Khosrowshahi learned of the breach, which Uber said happened in October 2016 and affected some 57 million accounts, about two weeks after he officially took the helm on Sept. 5, one of the people said. Mr. Khosrowshahi said he immediately ordered an investigation, which he wanted to complete before making the matter public.
About three weeks ago, though, Uber disclosed the investigation and the broad outlines of the breach to SoftBank Group Corp., which is considering a multibillion-dollar investment in the ride-hailing company, according to other people familiar with the matter. Uber officials, including its chief security officer, knew at the time of the breach that personal information had been accessed. Uber only informed customers and drivers on Tuesday.
Under way at the time of the disclosure to SoftBank was an investigation led by FireEye Inc.’s Mandiant forensics arm. Uber had to conduct multiple interviews with employees and others, as well as review accounts, to determine how many customers and drivers were impacted, one of the people said. The company disclosed the breach to the public only after it could put a firm number on how many accounts were affected and cut ties with two executives who it said mishandled the breach, this person said.
Khosrowshahi disclosed that former CEO Travis Kalanick, who resigned as CEO in June, learned of the attack in November 2016 and authorized the payment. In response to Khosrowshahi’s disclosure, several states, along with the Federal Trade Commission and at least three European government agencies, opened inquiries this week into why it took Uber more than a year to disclose the breach. Uber says it’s cooperating, but it isn’t clear what penalties, if any, it might face.
But more germane to Khosrowshahi’s future as CEO is how he handled disclosing the breach to SoftBank, the Japanese conglomerate that has been engaged in seemingly interminable negotiations to purchase a stake in the company. The firm is reportedly planning to invest $10 billion in Uber - $1 billion of which would go directly into the company’s coffers. And as WSJ noted, the hack – even though the data were purportedly destroyed – could still impact the valuation at which Softbank makes its investment.
Dara Khosrowshahi
Of course, some have suggested that Uber hid the hack because of the timing. The company had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Regardless, even when disclosures like this are made within the legally acceptable window, a company’s brand can still endure lasting damage.
“In the U.S. today, most laws allow six to eight weeks for companies to notify regulators and consumers,” said Bo Holland, the chief executive of AllClear ID Inc., a company that helps corporations respond to data breaches. Even companies that meet this standard can suffer tarnished reputations because consumers and investors expect a speedier response, he said in an email message.
“Equifax met the letter of the law, no one was happy with their response, and the executives and shareholders suffered the consequences,” he said. Because there are no federal laws on breach notification, incidents such as the Uber hack are covered by a patchwork of 48 state laws, the strongest of which require companies to notify consumers directly as soon as possible after personally identifiable information is compromised.
Uber is subject to these laws in states where it does business. Non-compliance with the laws exposes Uber to a range of state penalties and to consumer lawsuits.
As one of WSJ’s sources pointed out, leadership transition isn’t a legally acceptable excuse to delay disclosure.
“The provisions that allow for delay are not about getting your new management in order,” said Deirdre Mulligan, a University of California, Berkeley, professor who served as an adviser to lawmakers during the creation of California’s breach-notification law, which requires companies to notify consumers as soon as possible after a breach but doesn’t specify a time period. The California Department of Justice declined to comment, citing its policy of not commenting on possible investigations.
Uber, which is based in San Francisco, said names, email addresses and phone numbers for millions of riders were accessed, as well as the driver’s license numbers for about 600,000 drivers. The unauthorized access of those names and numbers would have triggered the requirement for such a disclosure in California, Ms. Mulligan said.
WSJ reports that after being contacted by the hackers, Uber pushed them to join the company’s “bug bounty” program, which pays people for information about flaws in the company’s software – an approach that definitely seems questionable. The hackers agreed to join the program and Uber paid them the $100,000, and a subsequent investigation by a cybersecurity contractor turned up no evidence that stolen data had been used for malicious purposes. Uber disclosed the breach to Softbank a few weeks before informing its customers, drivers and the broader public.
Uber needed to disclose the breach to its customers and drivers before the tender offer because a breach of this size and scope could be considered material to investors, and possibly impact the price at which SoftBank offers to buy shares. SoftBank is expected to settle on a fixed price for the offer as soon as next week, but the timing of the deal has been repeatedly delayed.
Ultimately, the impact of the hack will be determined by one number: the valuation at which Softbank agrees to invest in the world’s most valuable Silicon Valley unicorn. If it slips below the $70 billion figure that has been bandied about since the company’s last investment round, the news wouldn’t just taint Kalanick’s legacy, it could also cause potentially irreparable damage to Khosrowshahi tenure at the helm of one of the world’s most valuable (allegedly) private and controversial company.