John Flynn, Uber’s chief information security officer, told Senate committee in a written statement that “it was wrong not to disclose the breach earlier.” Flynn and other representatives from security firms appeared before the Senate Subcommitee on Consumer Protection, Product Safety, Insurance, and Data Security, as part of a hearing.
Uber concealed the data breach it experienced in 2016 and wasn’t disclosed to the public until November 2017, when new Uber CEO, Dara Khosrowshahi, announced it to everyone. In the breach, fifty-seven million customers’ and drivers’ names, phone numbers, and email addresses were compromised. It was also revealed that no credit card information, trip location info, or Social Security numbers were stolen.
Because of this disclosure, Uber is now facing multiple lawsuits that are ongoing and the company is fighting to either end or reach settlements. To make matters worse, Uber originally paid hush money to the hackers to the tune of $100,000 as part of its bug bounty program, which was a disguise to conceal what Uber had done.
According to Bloomberg, Chairman Jerry Moran, a Republican senator from Kansas, said, “The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable.”