November 23, 2017 · Cloud Computing, Hosting News, Web Hosting · Comments Off on Uber's messy data breach collides with launch of SoftBank deal

TORONTO/SAN FRANCISCO (Reuters) – A newspaper advertisement for an Uber Technologies Inc stock sale was juxtaposed on Wednesday with a report that the ride-service provider had covered up a data hack – something of a metaphor for Uber, a company with boundless investor interest, but whose penchant for rule-breaking has led to a series of scandals.

FILE PHOTO: A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London, Britain November 10, 2017. REUTERS/Simon Dawson/File Photo

The stock sale advertised in the New York Times will enable Uber [UBER.UL] investors to sell their shares to Japanese investor SoftBank, a critical deal for the company whose problems included building software to spy on competitors and to evade regulators and being investigated in Asia for paying bribes.

Uber on Tuesday said that it had paid hackers $100,000 to destroy data on more than 57 million customers and drivers that was stolen from the company – and decided under the previous CEO Travis Kalanick not to report the matter to victims or authorities. Uber was first hacked in October 2016 and discovered the data breach the following month.

Chief Executive Dara Khosrowshahi, who took the helm in August with the mission of turning around the company and overhauling its culture, acknowledged in a blog that Uber had erred in its handling of the breach. (ubr.to/2AmxlQt)

The timing of the disclosure could hardly have been worse.

The company is trying to complete a deal with SoftBank Group Corp (9984.T) in which the Japanese firm would invest as much as $10 billion for at least 14 percent of the company, mostly by buying out existing shareholders. SoftBank is advertising to find shareholders who want to sell.

Uber last month announced a preliminary deal for the SoftBank investment.

One question is whether SoftBank will now try to alter the price of the deal. One source familiar with the matter said SoftBank is planning to stick to its agreement to invest in Uber but may seek better terms. SoftBank has not yet made a final decision on whether to renegotiate, the source said.

Another question is the future of Kalanick, the co-founder who led Uber to becoming a global powerhouse but did so with aggressive and controversial tactics. He was forced out by investors in June who feared his leadership style would damage the company, although he stayed on the board and remains a significant shareholder.

A bitter battle among investors over how to resolve Uber’s problems led to a lawsuit by early investor Benchmark, which sought to oust Kalanick from any role. But a settlement was reached earlier this month to pave the way for the SoftBank deal, with Kalanick retaining his board seat and other rights.

Kalanick was made aware of the hack last November and was aware of the $100,000 payment, according to a person close to the matter. Kalanick has declined to comment. Uber did not respond to questions from Reuters on Wednesday.

MULTIPLE INVESTIGATIONS, LAWSUITS

The scope of the repercussions Uber will face for the October 2016 data breach began to take shape Wednesday with governments around the world opening investigations.

Authorities in Britain, Australia and the Philippines said they would investigate Uber’s response to the data breach. London’s transport regulator, which has been in discussions with Uber after stripping it of its license to operate, said it was pressing Uber for details.

Canada’s privacy watchdog said that it had asked Uber for details on the breach, though it had not launched a formal investigation.

Attorneys general offices in at least six U.S. states along with the Federal Trade Commission (FTC) have announced they are looking into the matter. Some states are likely to go after Uber for breaking laws on data breach notification within a reasonable period of time.

At least two class action lawsuits have been filed against the company in the United States for failing to disclose the data breaches and causing potential harm to consumers.

Uber said that it has been in touch with the FTC and several states to discuss a hack and pledged to cooperate.

Legal experts said the company is likely to face limited financial fallout from data-breach lawsuits. Uber might succeed in squelching them outright because its agreements with both customers and drivers call for mandatory arbitration of disputes.

Uber fired its chief security officer, Joe Sullivan, and a deputy, Craig Clark, over their role in handling the hack.

The board of directors had commissioned an investigation into Sullivan and his team, which is how the breach was discovered. The board committee concluded that neither Kalanick nor Salle Yoo, who was general counsel at the time, had been consulted in the company’s response to the breach, according to a second person familiar with the matter.

It is unclear what the board of directors knew, if anything. Multiple board members did not respond to requests for comment.

“The scope of this breach is something the Uber board should have been briefed about and consulted on at the very least,” said Cynthia Clark, an associate professor of management at Bentley University. “It’s a monitoring issue and one of strategy and reputation.”

Clark said that these sorts of risks could affect Uber’s IPO, which the board has agreed will take place in 2019.

The company has begun overhauling its security practices with help from Matt Olsen, former general counsel of the U.S. National Security Agency and director of the National Counterterrorism Center, CEO Khosrwoshahi said.

Uber in August settled with the FTC after the regulator found the company failed to protect the personal information of passengers and drivers, an agreement that requires 20 years of regular auditing of Uber’s data.

After this week’s disclosures, Uber can expect “more audits and more people inside of the company” from regulators, said cyber security attorney Steven Rubin.

Reporting by Jim Finkle in Toronto and Heather Somerville in San Francisco; Additional reporting by Diane Bartz in Washington, Greg Roumeliotis in New York and Alastair Sharp in Toronto.; Editing by Jonathan Weber and Grant McCool

Our Standards:The Thomson Reuters Trust Principles.
November 21, 2017 · Cloud Computing, Hosting News, Web Hosting · Comments Off on Uber CEO says company failed to disclose massive breach in 2016

(Reuters) – Uber Technologies Inc [UBER.UL] failed to disclose a massive breach last year that exposed the data of some 57 million users of the ride-sharing service, the company’s new chief executive officer said on Tuesday.

FILE PHOTO: Uber CEO Travis Kalanick speaks to students during an interaction at the Indian Institute of Technology (IIT) campus in Mumbai, India, January 19, 2016. REUTERS/Danish Siddiqui

Discovery of the company’s handling of the incident led to the departure of two employees who led Uber’s response to the incident, said Dara Khosrowshahi, who was named CEO in August following the departure of founder Travis Kalanick.

Khosrowshahi said he had only recently learned of the matter himself.

The company’s admission that it failed to disclose the breach comes as Uber seeks to recover from a series of crises that culminated in the Kalanick’s ouster in June.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a blog post.

According to the company’s account, two individuals downloaded data from a web-based server at another company that provided Uber with cloud-computing services.

The data contained names, email addresses and mobile phone numbers of some 57 million Uber users around the world. The hackers also downloaded names and driver’s license numbers of some 600,000 of the company’s U.S. drivers, Khosrowshahi said in a blog post.

Bloomberg News reported that Uber’s chief security officer Joe Sullivan and a deputy had been ousted from the company this week because of their role in the handling of the incident. The company paid hackers $100,000 to delete the stolen data, according to Bloomberg.

FILE PHOTO: The logo of Uber is seen on an iPad, during a news conference to announce Uber resumes ride-hailing service, in Taipei, Taiwan April 13, 2017. REUTERS/Tyrone Siu/File Photo –

Though such payoffs are rarely discussed in public, U.S. Federal Bureau of Investigation officials and private security companies have told Reuters in the past year that an increasing number of companies have made payments to criminal hackers who have turned to extortion.

None have previously come to light that aimed to suppress breaches that would have required public disclosure, such as those involving protected personal information.

The chief executive of Uber Technologies Inc, Dara Khosrowshahi attends a meeting with Brazilian Finance Minister Henrique Meirelles (not pictured) in Brasilia, Brazil October 31, 2017. REUTERS/Adriano Machado

Sullivan did not immediately return messages seeking comment.

Sullivan, formerly the top security official at Facebook Inc (FB.O), is a former federal prosecutor and one of the most admired security executives in Silicon Valley.

Kalanick learned of the breach a month after it took place, in November 2016, as the company was in negotiations with the U.S. Federal Trade Commission over the handling of consumer data, according to Bloomberg.

Uber representatives did not respond when asked to comment on the Bloomberg report.

Khosrowshahi said he had hired Matt Olsen, former general counsel of the U.S. National Security Agency, to help him figure out how to best guide and structure the company’s security teams and processes.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Reporting by Jim Finkle in Toronto; Additional reporting by Joseph Menn in San Francisco; Editing by Tom Brown

Our Standards:The Thomson Reuters Trust Principles.