WASHINGTON – Uber’s handling of a data breach that exposed 57 million customers to data theft was “morally wrong and legally reprehensible” Senator Richard Blumenthal (D-Conn) said at a hearing Tuesday.
The firm failed to notify the government or the public for over a year following the theft, instead paying hackers 100,000 dollars in 2016 to delete the information. Uber’s payment of the blackmail without notifying their consumers, Blumenthal said, “violated not only the law, but also the norm of what should be expected.”
At the hearing, sponsored by the Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security focused on “bug bounties.” Companies are increasingly relying upon these programs to prevent data breaches by offering rewards for hackers who find bugs and disclose them.
“A vulnerability disclosure program is essentially a neighborhood watch for software,” Marten Mickos, Chief Executive Officer of HackerOne, told lawmakers. “Thanks to the diversity and scale of the hacker community, hacker-powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not find.”
However, the 2016 hack at Uber was not resolved in line with the company’s bug bounty program. Simply put, Uber agreed to pay the demanded price for its data.
Katie Moussoruius, CEO of Luta Security, said that paying the full demanded price incentivizes criminal activity.
“When we muddy that with paying extortion prices, we’re creating this environment where we’re creating more opportunities for criminals and breaches,” Moussoruius said in an interview. “Why would you turn in the bug for ten thousand dollars when you could just download 57 million records and then get 100,000 dollars?”
To incentivize the use of more bug bounties, the witnesses offered several recommendations, including additional funding for cybersecurity education and training.
But the most important change would be a new federal law that would make it illegal for companies to fail to disclose a data breach, Mickos said.
“The patchwork of breach notification laws enacted primarily at the state level may create uncertainty and perverse incentives for those who safeguard consumer data,” Mickos said. “It is important that such a law provide clarity on the definition of a data breach to ensure that those who operate or participate in a good faith vulnerability disclosure policy are not legally exposed.”
Uber chief information security officer John Flynn agreed, saying that his firm would support such a law.
“It’s very hard for companies to contend with this patchwork of security notifications in the United States,” he said.
The October 2016 hack exposed the phone numbers, email addresses and names of 57 million riders around the world as well the drivers’ license numbers of 600,000 drivers in the United States. But Uber did not disclose the breach to the public or government until November 2017. At the time, the company was in the process of negotiating a settlement with the Federal Trade Commission over a 2014 data breach the FTC alleged the company did not take enough care to prevent.
Flynn apologized for the failure to disclose the hack promptly. Flynn also said that Uber is now developing a clearer bug bounty policy to prevent future extortion-like breaches.
“This was not consistent with the way in which our bug bounty program normally operates,” he said. “That’s not the way we’re going to do things moving forward.”