In a world where over 2.5 quintillion bytes of data are consumed daily through emails, videos, images, tweets, and content, infringement in some form or the other is inevitable. When a security breach does occur, the onus lies with the infiltrated company/platform to alert customers and government agencies. This is where Uber has failed sorely.
According to reports that have surfaced this week, the global ride-sharing giant underwent a massive breach in October 2016, wherein data of more than 57 Mn drivers and customers were accessed illegally. Instead of reporting the infringement to authorities, Uber chose to keep the hack under wraps for over a year, going so far as to pay $100K to the attackers for their silence.
Reports of the cyberattack finally surfaced when the cab aggregator ousted its Chief Security Officer and a few other people involved in the cover-up, earlier this week.
In response to the controversy, the company’s newly-crowned CEO Dara Khosrowshahi stated, “None of this should have happened, and I will not make excuses for it. We are changing the way we do business. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Interestingly, this isn’t the first time that private details of Uber drivers and customers have been accessed. In 2015, the cab aggregator accidentally leaked personal information of hundreds of its drivers through a newly-launched app called “Uber Partner”. Details like social security numbers, scans of driver licenses and tax forms were made public.
What Exactly Happened Last October?
As part of the violation that took place in October last year, the attackers gained access to names, email address and phone numbers of more than 50 Mn Uber riders from across the world. Additionally, the personal data of up to 7 Mn drivers, including 600K in the US alone, were hacked, sources revealed.
So, how exactly did the breach happen? As narrated by Bloomberg in a recent report, two attackers managed to break into a GitHub coding side used by Uber engineers and retrieve authentic login credentials, which they later used to access private data stored in one of the company’s AWS accounts.
The account, as per sources, was being used by the cab aggregator’s engineering team to handle various computing tasks. Through the account, the hackers got their hands on an extensive data archive of riders and drivers. Armed with these details, the duo allegedly blackmailed the company for money.
Instead of informing authorities of the breach, Uber decided to take matters into its own hands. While paying a lump sum to buy the attackers’ silence was probably its first plan of action, the company claimed that it had taken steps to reverse the breach.
Khosrowshahi added, “At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
However, the hacked information was likely never used, claimed CEO Dara Khosrowshahi.
So, Why Did Uber Cover Up The Breach In The First Place?
To understand why Uber chose to keep the breach under wraps, instead of dealing with it in a transparent way, we need to delve deeper. Curiously, the incident occurred at a time when the ride-sharing platform was already embroiled in an investigation over suspected privacy violations.
The then Uber CEO Travis Kalanick was informed of the attack a most later in November 2016. As recounted by Bloomberg in its report, the cab aggregator had just settled a lawsuit in New York over data security disclosures and was involved in negotiations with the Federal Trade Commission about security measures when dealing with consumer data.
The questionable actions taken in the aftermath of the breach were largely carried out by the now-ousted Chief Security Officer, Joe Sullivan. Nearly eleven months after the attack, Uber’s board commissioned a third-party law firm to launch an investigation into the entire episode. Sullivan’s poor handling of the crisis and failure to disclose were discovered only last month.
Following the release of Uber’s statement yesterday, New York Attorney General Eric Schneiderman ordered a fresh investigation into the cyberattack. Meanwhile, the ride-hailing giant has also been sued by a customer on charges of negligence.
Uber: A Troubled Legacy That Won’t Go Away
Founded in August 2008 by Travis Kalanick and Garrett Camp, the San Francisco-headquartered company is currently in the process of raising a staggering $10 Bn from Softbank and a clutch of other investors. Although valued at more than $70 Bn, its journey over the last nine years has been nothing short of dramatic. January 2017 started off with Uber facing a social campaign #DeleteUber after it was incorrectly perceived as trying to break a one-hour taxi strike at JFK airport.
Later it caught the ire of users after Donald Trump signed an executive order on immigration ban for Syrian refugees and blocked entry for citizens from seven predominantly Muslim countries. At that time Uber’s Travis Kalanick was on Trump’s business advisory council and this led to the extension of #DeleteUber.
In February, former Uber engineer, Susan Fowler, disclosed sexual harassment and sexism claims in a blog post about her year at Uber. The same month, Waymo, a self-driving car company spun off from Google, sued Uber alleging that Anthony Levandowski – a former top manager for Google’s self-driving car project – stole pivotal technology from Google before leaving to run Uber’s self-driving car division.
Following all these allegations, Travis Kalanick stepped down as CEO under investor pressure on June 20, amidst pressure from other shareholders. Since then, Kalanick has also been sued by early investor Benchmark Capital as well as Irving Firemen’s Relief and Retirement Fund, accusing him of fraud, breach of contract and breach of fiduciary duty.
Later in August, Uber found its new captain in Dara Khosrowshahi. In September, the cab aggregator made headlines once again when it was banned in London. When the news originally surfaced that the transport authority for London would not be renewing Uber’s license to operate in the city, Khosrowshahi had said in an open letter, “On behalf of everyone at Uber globally, I apologize for the mistakes we’ve made.” Uber has since filed an appeal with Transport for London about reversing the ban and is hoping to commence operations in the city soon.
Things Looking Brighter In The Indian Market
At the end of 2016, Uber’s net revenue reached $6.5 Bn; an impressive number if we don’t consider the $2.8 Bn losses it encountered during the same period. In the case of India, total revenue reported in FY15 was only $3 Mn (INR 18.7 Cr) higher than losses incurred.
Since selling its Chinese operations to Beijing-based Didi Chuxing and merging with Yandex in Russia, however, Uber has started focussing its efforts on capturing the Indian market, which is currently populated by home-bred giants like Ola and traditional taxi associations. Last year, for instance, it promised to infuse a substantial portion of the $3.5 Bn it raised from the Public Investment Fund of Saudi Arabia into Uber India.
In July this year, the company poured $7.99 Mn (INR 51.64 Cr) into Uber India as per filings with the Registrar of Companies. This infusion occurred in May 2017 as per company filings with the MCA. The amount was transferred from the company’s subsidiaries in Netherlands, including Uber Holdings International BV, Uber International BV, Besitz Holding BV, and Mieten BV.
Since June 2016, the company’s presence in India has grown 2.5x in terms of the number of trips as well as total merchandise volume, as claimed by Uber India head Amit Jain in an interview with Livemint. To solidify its presence in India, the cab-hailing startup started the pilot of UberPASS in selected metro cities, thanks to which cab riders can now avail discounted fares and a variety of exclusive benefits. This includes choosing the top-rated drivers, waiver on cancellation charges, exclusive access to premium products and features and more.
It has also forayed into food delivery with UberEATS service, which gives local restaurants a delivery option. The company also claims that it has appointed hundreds of delivery partners to make UberEATS a success. Meanwhile, PM Narendra Modi is planning to team up with cab sharing companies, including Uber in an attempt to reduce traffic congestion. The three-month trial will allow the government to access ways to reduce private car ownership in the country.
Back in July, the Indian arm of the ride-hailing company announced the integration of the Unified Payment Interface (UPI) on its platform. The facility was integrated to allow riders who already have virtual payment addresses for UPI transactions pay for their rides using the bank-to-bank payment platform.
Like it or not, data breaches are a common occurrence today. Big players like Yahoo, MySpace, Target Corp, Anthem Inc and Equifax Inc have all suffered from security infringements of some kind in recent times. That does not, however, justify Uber’s decision to cover up a breach of that scale. In a year that has been rife with controversies and setbacks, could this be the last nail in the coffin that does Uber in?