Chicago: Uber’s claim that hackers fully deleted stolen data is “nonsensical”
It’s now been a full week since the jaw-dropping revelations that Uber sustained a massive data breach in 2016, which affected over 57 million people.
Since November 21, the company has been hit with 10 federal lawsuits (including the two Ars reported on last week). On Monday, the City of Chicago and Cook County also sued Uber in Illinois state court, while numerous senators are now demanding answers as well.
The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers.
Uber reportedly paid $100,000 to delete the stolen data and tried to keep news of the breach quiet by having the hackers sign non-disclosure agreements.
In the case of City of Chicago v. Uber, city and Cook County lawyers wrote that in October 2016, then-CEO Travis Kalanick was contacted by two hackers who claimed to have millions of individual Uber customers’ records.
"In striking resemblance to the 2014 breach, the hackers had accessed a private GitHub repository and found database login credentials," Chicago's attorneys argued.
"While the repository was password-protected, hackers were still able to breach it—indicating either a very weak password or the fact that the user credentials for the repository were found in a previous unrelated data breach. And even though Uber specifically promised regulators that it would use two-factor authentication on services like GitHub, it clearly failed to implement that promise. Once inside the GitHub repository, the attackers once again found AWS login credentials, which the attackers then used to access and extract the personal information of over 50 million people, including Chicago and Illinois residents."
Last Tuesday, CEO Dara Khosrowshahi wrote: "None of this should have happened, and I will not make excuses for it."
According to the Wall Street Journal, Khosrowshahi learned of the breach two weeks after he took over the company’s top job on September 6, and yet he kept quiet for over two months.
Chicago attorneys also wrote that the company’s claims that the stolen data has been fully expunged is "nonsensical."
"It has not demonstrated, in any way, how or why it knows the data was actually deleted," they wrote. "No matter what documents the hackers signed, or representations they made, Uber is saying little more than that they trust the word of criminals."
The broadly-similar proposed 10 class-action suits were filed in several federal courts across the country: in San Francisco; Los Angeles; Allentown, Pennsylvania; Portland, Chicago; and even Huntsville, Alabama.
On Monday, a group of senators, lead by Sen. John Thune (R-South Dakota) and Sen. Orrin Hatch (R-Utah), specifically asked for a "detailed timeline" of the incident, among other demands due by December 11.
Similarly, Sen. Mark Warner (D-Virginia) also had an even more damning question.
"To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals," he wrote.
"Why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week?"
Uber spokeswoman Molly Spaeth sent a statement to other media, including the Chicago Tribune, which read: "We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers."
Uber has not responded to Ars’ multiple requests for comment.