“Uber’s payment of this blackmail – without notifying consumers who were gravely at risk – was morally wrong and legally reprehensible,” said Blumenthal
[WASHINGTON, DC] – Today in an exchange with U.S. Senator Richard Blumenthal (D-CT), Ranking Member of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Uber’s Chief Information Security Officer, John Flynn, admitted the company has failed to implement measures to prevent data breaches and subsequent blackmail threats over a year after a 2016 breach that exposed the sensitive personal information of 57 million Uber drivers and riders. In November 2017, Uber revealed it had paid a $100,000 ransom to hackers to destroy the stolen records and keep quiet. The blackmail payment was made under the guise of a “bug bounty” program Uber operates under HackerOne to catch security vulnerabilities in its platform. Uber did not initially notify affected consumers or federal authorities about the breach.
In questioning about changes to Uber’s bug bounty policy since the data breach, Blumenthal asked Flynn, “Do you have clear limits – parameters – for non-negotiable and clearly defined policy on how much you will pay [in ransoms]?”
“…As part of new leadership coming in, we are in the process of reviewing new policy regarding that right now,” Flynn responded.
“So you don’t have them now?” said Blumenthal.
“It’s something we’re working on,” said Flynn.
Video of Blumenthal’s opening remarks and full lines of questioning is available for download here. The above exchange with Flynn begins at 08:15.
Blumenthal has sponsored the Data Breach Accountability and Enforcement Act, legislation to ensure the FTC can investigate the data breach of any company that holds sensitive consumer data, and can impose civil penalties that will motivate companies to implement strong security at the outset. He is also an original cosponsor of the Data Security and Breach Notification Act, which directs the FTC to develop rules that require businesses to adopt security protocols to protect consumers’ personal information, and require companies to notify affected parties in the event of a breach.