Uber covered up a data hack.
A newspaper advertisement for an Uber Technologies Inc stock sale was
juxtaposed on Wednesday with a report that the ride-service provider had
covered up a data hack - something of a metaphor for Uber, a company
with boundless investor interest, but whose penchant for rule-breaking
has led to a series of scandals.
Another question is the future of Kalanick, the
co-founder who led Uber to becoming a global powerhouse but did so with
aggressive and controversial tactics. He was forced out by investors in
June who feared his leadership style would damage the company, although
he stayed on the board and remains a significant shareholder.
Kalanick was made aware of the hack last
November and was aware of the $100,000 payment, according to a person
close to the matter. Kalanick has declined to comment. Uber did not
respond to questions from Reuters on Wednesday.
Uber in August settled with the FTC after the regulator
found the company failed to protect the personal information of
passengers and drivers, an agreement that requires 20 years of regular
auditing of Uber’s data.
After this week’s disclosures, Uber can expect “more audits and more people inside of the company” from regulators, said cyber security attorney Steven Rubin.
The stock sale advertised in the New York Times
will enable Uber [UBER.UL] investors to sell their shares to Japanese
investor SoftBank, a critical deal for the company whose problems
included building software to spy on competitors and to evade regulators
and being investigated in Asia for paying bribes.
Uber
on Tuesday said that it had paid hackers $100,000 to destroy data on
more than 57 million customers and drivers that was stolen from the
company - and decided under the previous CEO Travis Kalanick not to
report the matter to victims or authorities. Uber was first hacked in
October 2016 and discovered the data breach the following month.
Chief
Executive Dara Khosrowshahi, who took the helm in August with the
mission of turning around the company and overhauling its culture,
acknowledged in a blog that Uber had erred in its handling of the
breach. (ubr.to/2AmxlQt)
The timing of the disclosure could hardly have been worse.
The company is trying to complete a deal with SoftBank Group Corp (9984.T)
in which the Japanese firm would invest as much as $10 billion for at
least 14 percent of the company, mostly by buying out existing
shareholders. SoftBank is advertising to find shareholders who want to
sell.
Uber last month announced a preliminary deal for the SoftBank investment.
One
question is whether SoftBank will now try to alter the price of the
deal. One source familiar with the matter said SoftBank is planning to
stick to its agreement to invest in Uber but may seek better terms.
SoftBank has not yet made a final decision on whether to renegotiate,
the source said.
A
bitter battle among investors over how to resolve Uber’s problems led
to a lawsuit by early investor Benchmark, which sought to oust Kalanick
from any role. But a settlement was reached earlier this month to pave
the way for the SoftBank deal, with Kalanick retaining his board seat
and other rights.
MULTIPLE INVESTIGATIONS, LAWSUITS
The
scope of the repercussions Uber will face for the October 2016 data
breach began to take shape Wednesday with governments around the world
opening investigations.
Authorities in Britain,
Australia and the Philippines said they would investigate Uber’s
response to the data breach. London’s transport regulator, which has
been in discussions with Uber after stripping it of its license to
operate, said it was pressing Uber for details.
Canada’s
privacy watchdog said that it had asked Uber for details on the breach,
though it had not launched a formal investigation.
Attorneys
general offices in at least six U.S. states along with the Federal
Trade Commission (FTC) have announced they are looking into the matter.
Some states are likely to go after Uber for breaking laws on data breach
notification within a reasonable period of time.
At
least two class action lawsuits have been filed against the company in
the United States for failing to disclose the data breaches and causing
potential harm to consumers.
Uber said that it has been in touch with the FTC and several states to discuss a hack and pledged to cooperate.
Legal
experts said the company is likely to face limited financial fallout
from data-breach lawsuits. Uber might succeed in squelching them
outright because its agreements with both customers and drivers call for
mandatory arbitration of disputes.
Uber fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, over their role in handling the hack.
The
board of directors had commissioned an investigation into Sullivan and
his team, which is how the breach was discovered. The board committee
concluded that neither Kalanick nor Salle Yoo, who was general counsel
at the time, had been consulted in the company’s response to the breach,
according to a second person familiar with the matter.
It
is unclear what the board of directors knew, if anything. Multiple
board members did not respond to requests for comment.
“The
scope of this breach is something the Uber board should have been
briefed about and consulted on at the very least,” said Cynthia Clark,
an associate professor of management at Bentley University. “It’s a
monitoring issue and one of strategy and reputation.”
Clark said that these sorts of risks could affect Uber’s IPO, which the board has agreed will take place in 2019.
The
company has begun overhauling its security practices with help from
Matt Olsen, former general counsel of the U.S. National Security Agency
and director of the National Counterterrorism Center, CEO Khosrwoshahi
said.
After this week’s disclosures, Uber can expect “more audits and more people inside of the company” from regulators, said cyber security attorney Steven Rubin.