×

Multiple states are investigating Uber over a 2016 data breach, and more scrutiny might follow

Pedestrians walk past the Uber Technologies headquarters building in San Francisco, June 21, 2017.
David Paul Morris | Bloomberg | Getty Images
Pedestrians walk past the Uber Technologies headquarters building in San Francisco, June 21, 2017.

New revelations that Uber suffered a major security breach in 2016 — and initially withheld details from drivers, riders and regulators alike — is touching off another round of government probes and customer lawsuits targeting the ride-hailing giant.

At least four states — Illinois, Massachusetts, New York and Connecticut — told Recode this week that they would investigate the matter, after Uber revealed on Wednesday that the intrusion affected 57 million customers, compromising names, addresses and driver's license numbers in some cases.

Meanwhile, Uber must contend with the possible threat of a new probe at the Federal Trade Commission. The agency, which acts as the U.S. government's top privacy and security watchdog, penalized Uber for its privacy and security practices just this August. But it may not have known that Uber had suffered a major security breach in 2016, even as they investigated the company at the same time for other, unrelated security missteps.

And some affected customers are similarly taking action. On Wednesday — hours after the breach became public — an Uber user filed a lawsuit accusing the company of negligence and deceptive business practices. The plaintiff, Alejandro Flores, is seeking to represent a class of affected riders and drivers alike.

Taken together, the repercussions for Uber's silence already seem vast. Once again, the ride-hailing company faces the threat of costly litigation and other stiff penalties or fines — all at a time when the tech giant is battling back a slew of other civil and criminal probes.

"We've been in touch with several state attorney general offices and the FTC to discuss this issue, and we stand ready to cooperate with them going forward," an Uber spokesperson said.

Hackers set their sights on Uber in late 2016, according to the company, while Travis Kalanick still led the company. By accessing a public repository of Uber data, two individuals were able to see — but perhaps not steal — personal information for 57 million Uber users around the world.

At the time, Uber suppressed information about the breach — and it paid the hackers a $100,000 ransom to delete the data they had obtained. Roughly a year later, though, new Uber CEO Dara Khosrowshahi opted to make information about the security incident public, along with an apology and a promise to improve the company's digital defenses.

More from Recode:
Facebook will help some users figure out if they saw Russian propaganda during the 2016 U.S. presidential election
Uber hid a 2016 data breach that affected 57 million people
Trump's FCC has revealed plans to wipe out net neutrality

But Khosrowshahi's mea culpa is unlikely to satisfy regulators.

For one thing, 48 states maintain some version of a law that requires companies that suffer a data breach to communicate what happened to consumers. In most cases, companies must disclose a security incident if hackers steal very sensitive customer data — such as driver's license numbers, which happened with Uber in late 2016.

To that end, the attorneys general in Illinois, Connecticut and New York have said they are probing the breach at Uber — perhaps with an eye on whether the company skirted state laws. The top prosecutors in other major states, like Pennsylvania and Florida, did not immediately respond to emails on Wednesday seeking comment. California's AG declined to comment.

State laws also form the basis of an emerging class action suit, which alleges that Uber's failure to disclose the 2016 breach runs afoul of notification rules in California, Illinois, Hawaii and others. For some of these states, such as Illinois, the rider information that was exposed doesn't require disclosure but the 600,000 driver's license numbers accessed do.

In the nation's capital, meanwhile, Uber faces the prospect of more pain.

Months earlier, the company brokered a draft agreement with the FTC to settle charges dating back to 2014 that it mishandled customers' data. In that fight, the agency contended that Uber had "deceived consumers" by allowing its employees to access riders' most personal information, including the details of their trips.

But Uber's settlement with the FTC isn't technically final; the commission still must vote on it. That opens the door for the agency perhaps to rethink the order, weigh new penalties or open another probe into Uber entirely as a result of this week's revelations. Some U.S. lawmakers explicitly urged the FTC on Wednesday to do precisely that.

Perhaps complicating matters, the FTC in 2014 and 2015 specifically ordered Uber to preserve all documents and records related to privacy and security for investigators to review, according to copies of civil investigative demands sent to the company at the time and later obtained by Recode. Otherwise, the orders said, Uber could face additional civil or criminal liability. It is unclear how those demands might apply in a case like this one, where Uber did not disclose a breach in the midst of an unrelated investigation.

For now, a spokeswoman for the FTC declined comment. Two sources, however, told Recode that Uber had briefed the agency on the matter in recent days.

Even abroad, Uber faces immense criticism — and perhaps additional scrutiny. A top regulator in the European Union on Wednesday highlighted Uber's handling of the breach to make the case for greater regulation of U.S. tech giants.

Much of the responsibility for fixing Uber's new troubles now falls to Tony West, the company's new chief legal officer. A former PepsiCo executive who served as the assistant attorney general of the Department of Justice under President Barack Obama, West is also tasked with overseeing Uber's fights in a wide array of other regulatory woes — including a federal probe on foreign bribery charges.

By Tony Romm and Johana Bhuiyan, Re/code.net.

CNBC's parent NBCUniversal is an investor in Recode's parent Vox, and the companies have a content-sharing arrangement.