You are on page 1of 2
MARK R. WARNER comer. Wnited States Senate na RULES AND ADMINISTRATION November 27, 2017 Dara Khosrowshahi Chief Executive Officer . Uber 1455 Market Street San Francisco, CA 94103 Dear Mr. Khosrowshahi, I write you with grave concerns about your company’s handling of a breach impacting millions of your users and hundreds of thousands of your drivers. As multiple outlets have now reported, Uber experienced a breach of account data stored with a third-party cloud service provider after hackers discovered credentials associated with Uber developer accounts on a third-party code repository site. According to these reports, rather than reporting this breach to those affected, and working with law enforcement to investigate the incident and apprehend those responsible, senior Uber executives elected to track down the hackers and compensate them under the guise ofa bug bounty program, While Uber reportedly learned of the breach in November 2016 — and reports indicate you subsequently learned of the breach shortly afier assuming the role of CEO, in September 2017 — ‘Uber decided not to inform either passengers or drivers of the breach until last week. Even more disturbingly, Uber is reported to have shared information concerning the breach with a potential investor weeks prior to alerting regulators or affected drivers and passengers, as required under numerous state data breach laws. Thave long championed the innovation and potential of the on-demand economy. However, Uber's conduct raises serious questions about the company’s compliance with relevant state and federal regulations. According to reports, the handling of this major breach was led by your predecessor and his hand-picked Chief Security Officer, both of whom have been alleged to have cultivated a corporate culture that encouraged senior management to “push legal boundaries or look the other way.”? While I applaud you for ordering an investigation, firing two senior executives implicated in the decisions related to handling of this breach, and pledging to cooperate with law enforcement, I have a number of questions to which I am eager to receive your answers: “Uber Told SoftBank About Data Breach Before Telling Publi” Rewer (Now.23, 2017), available at hipsavw seats com/arilets: -told-softbank-about-data-breach-before-telling- i Erie Neweomer, “Uber Pushed te Limits ofthe Law. Now Comes the Reckoning,” Bloomberg (et. 11,2017), available at htps:/www bloombers,com news/features/2017-10-1/uber-pushed-the-limits-of-the-law-now-comes- the-reckoning 1. According to reports, Uber’s systems were breached after the attackers discovered log-in credentials to an AWS account used to handle payments. Why weren’t more robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data? 2. Who conducted the initial investigation for Uber that successfully identified the hackers? ‘What “assurances” were provided by the hackers to prove they did, in fact, delete the compromised data? 3. Unlike ransomware payments, in which payment is made to recover or regain access to inaccessible data or systems, it appears the motivation behind this payment was principally to prevent the public or authorities from learning of the breach. What rationale was provided by senior executives for covering up this breach? 4, Uber has alleged that it was required to provide information relating to the breach and subsequent cover-up to prospective investors, Can you explain why Uber chose not to disclose the breach to drivers and users prior to, or at least at the same time as, a prospective investor? 5. Reports indicate that Uber successfully “tracked down the hackers and pushed them to sign nondisclosure agreements.” While some information necessary to accomplish this could certainly have been gleaned from traditional digital forensic tools, these reports — combined with Uber’s past pattern of conduct ~ raise serious questions about how Uber was able to track down the criminals who breached Uber’s systems and blackmailed the company, and whether these actions might have constituted violations of the Computer, Fraud and Abuse Act. As you know, no private right exists for companies to “hack back” those who compromise their systems. In the process of tracking down these hackers, did Uber or any authorized party acting on its behalf engage in unauthorized access of third party systems? 6. Uber’s decision to identify the responsible parties and commit them to a non-disclosure agreement thwarts law enforcement's ability to bring criminal hackers to justice. To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals. Why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week? I ook forward to your response. If you should have any questions or concerns, please contact my staff at 202-224-2023. Sincerely, Lee MARK R. WARNER United States Senator