U.S. Sen. Mark R. Warner (D-VA), Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, today pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure that hackers accessed the personal information of 57 million users last year.
U.S. Sen. Mark R. Warner (D-VA), Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, today pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure that hackers accessed the personal information of 57 million users last year.
U.S. Sen. Mark R. Warner (D-VA), Ranking Member of the Senate Banking Subcommittee on Securities, Insurance and Investment, today pressed Uber CEO Dara Khosrowshahi on the company’s recent disclosure that hackers accessed the personal information of 57 million users last year.
MARK R. WARNER comer.
Wnited States Senate na
RULES AND ADMINISTRATION
November 27, 2017
Dara Khosrowshahi
Chief Executive Officer
. Uber
1455 Market Street
San Francisco, CA 94103
Dear Mr. Khosrowshahi,
I write you with grave concerns about your company’s handling of a breach impacting millions
of your users and hundreds of thousands of your drivers. As multiple outlets have now reported,
Uber experienced a breach of account data stored with a third-party cloud service provider after
hackers discovered credentials associated with Uber developer accounts on a third-party code
repository site. According to these reports, rather than reporting this breach to those affected, and
working with law enforcement to investigate the incident and apprehend those responsible,
senior Uber executives elected to track down the hackers and compensate them under the guise
ofa bug bounty program,
While Uber reportedly learned of the breach in November 2016 — and reports indicate you
subsequently learned of the breach shortly afier assuming the role of CEO, in September 2017 —
‘Uber decided not to inform either passengers or drivers of the breach until last week. Even more
disturbingly, Uber is reported to have shared information concerning the breach with a potential
investor weeks prior to alerting regulators or affected drivers and passengers, as required under
numerous state data breach laws.
Thave long championed the innovation and potential of the on-demand economy. However,
Uber's conduct raises serious questions about the company’s compliance with relevant state and
federal regulations. According to reports, the handling of this major breach was led by your
predecessor and his hand-picked Chief Security Officer, both of whom have been alleged to have
cultivated a corporate culture that encouraged senior management to “push legal boundaries or
look the other way.”? While I applaud you for ordering an investigation, firing two senior
executives implicated in the decisions related to handling of this breach, and pledging to
cooperate with law enforcement, I have a number of questions to which I am eager to receive
your answers:
“Uber Told SoftBank About Data Breach Before Telling Publi” Rewer (Now.23, 2017), available at
hipsavw seats com/arilets: -told-softbank-about-data-breach-before-telling-
i
Erie Neweomer, “Uber Pushed te Limits ofthe Law. Now Comes the Reckoning,” Bloomberg (et. 11,2017),
available at htps:/www bloombers,com news/features/2017-10-1/uber-pushed-the-limits-of-the-law-now-comes-
the-reckoning1. According to reports, Uber’s systems were breached after the attackers discovered log-in
credentials to an AWS account used to handle payments. Why weren’t more robust
access management mechanisms, including strong multi-factor authentication, enabled to
prevent unauthorized access to passenger and driver data?
2. Who conducted the initial investigation for Uber that successfully identified the hackers?
‘What “assurances” were provided by the hackers to prove they did, in fact, delete the
compromised data?
3. Unlike ransomware payments, in which payment is made to recover or regain access to
inaccessible data or systems, it appears the motivation behind this payment was
principally to prevent the public or authorities from learning of the breach. What rationale
was provided by senior executives for covering up this breach?
4, Uber has alleged that it was required to provide information relating to the breach and
subsequent cover-up to prospective investors, Can you explain why Uber chose not to
disclose the breach to drivers and users prior to, or at least at the same time as, a
prospective investor?
5. Reports indicate that Uber successfully “tracked down the hackers and pushed them to
sign nondisclosure agreements.” While some information necessary to accomplish this
could certainly have been gleaned from traditional digital forensic tools, these reports —
combined with Uber’s past pattern of conduct ~ raise serious questions about how Uber
was able to track down the criminals who breached Uber’s systems and blackmailed the
company, and whether these actions might have constituted violations of the Computer,
Fraud and Abuse Act. As you know, no private right exists for companies to “hack back”
those who compromise their systems. In the process of tracking down these hackers, did
Uber or any authorized party acting on its behalf engage in unauthorized access of third
party systems?
6. Uber’s decision to identify the responsible parties and commit them to a non-disclosure
agreement thwarts law enforcement's ability to bring criminal hackers to justice. To the
extent Uber had lawfully acquired information enabling it to identify the hackers who had
compromised its systems, ensure they would abide by agreements to delete the data and
not to disclose the breach, and transfer them $100,000, it conceivably had enough
information at hand to assist law enforcement in the apprehension of these criminals.
Why did Uber choose not to provide relevant forensic information to law enforcement
and has this information been provided to law enforcement in the last week?
I ook forward to your response. If you should have any questions or concerns, please contact my
staff at 202-224-2023.
Sincerely,
Lee
MARK R. WARNER
United States Senator