A massive cyber attack and its subsequent cover-up by Uber has prompted a slew of investigations from data protection authorities around the world. In a news article last Tuesday, Bloomberg reported hackers stole the personal information of 57 million Uber users and 7 million drivers and that the company did not disclose the breach to relevant authorities or its users for nearly a year. Further, Uber reportedly paid the attackers $100,000 to keep the breach secret. 

The fall out was almost immediate and wide ranging, according to the Financial Times. In Europe, the Article 29 Working Party announced it will decide this week whether to coordinate investigations into the breach. A spokesperson for the CNIL, the French DPA, said, "It is not very common to have a task force but for very big cases that are an issue for European citizens the working party on Article 29 can set [one] up." 

Data protection authorities from the U.K., Italy, Austria and Poland have already announced separate investigations. The Netherlands, where Uber has based its EU operations, is also probing the incident. 

A spokesperson for the Dutch DPA told the Financial Times, "What we are doing now is to look at whether Uber have reported the breach on time, whether the people involved were informed or not informed and should they have been informed. ... We will ask what was the cause of the data breach and what was done to fix it." Data protection law in the Netherlands requires companies to notify the DPA of a breach within 72 hours or face fines up to 820,000 euros. 

Antonello Soro, president of Garante, the Italian DPA, is quoted as saying, "It is clearly surprising that a digital multinational like Uber has patently insufficient and inadequate security measures in place to protect data. We are dismayed by the poor transparency shown towards users, which we intend to investigate." 

In the U.S., the Federal Trade Commission announced it is "closely evaluating the serious issues" brought forward by the company's handling of the incident. Uber has previously settled a complaint with the FTC after a separate breach hit the company in 2014 and 2015, which affected approximately 100,000 users. In the consent order, Uber is prohibited from misrepresenting how it protects, stores and processes personal data; must undergo regular, independent audits; and must implement a comprehensive privacy program. 

Not long after the FTC settlement last August, the IAPP's Angelique Carson, CIPP/US, interviewed representatives from Uber about its privacy protection efforts, including how it "was taking privacy into account long before the settlement came into play, hiring its first chief security officer, Joe Sullivan, in 2015 — whose responsibilities include privacy — and building teams with shared responsibility for demonstrable privacy metrics." Sullivan, according to last week's Bloomberg report, was ousted from Uber for his role in the cover-up. 

In the August report for The Privacy Advisor, Uber also discussed why it does not employ a dedicated chief privacy officer or a privacy office. Product Manager Zach Singleton, at the time, said, "I would say our model is working. ... It is effective for us." 

Yet, if some at the company knew about the breach during the FTC's investigation, they will have violated the FTC settlement. Ed McAndrew, a former federal cybercrime prosecutor, told CNET, "It appears [Uber] violated the FTC consent order before the ink was dry on it."  

Elsewhere in North America, Mexico's National Institute of Transparency, Access to Information and Protection of Personal Data said it is seeking clarifying information from Uber about how many Mexican users and drivers were affected. Likewise, a spokesperson for the Office of the Privacy Commissioner of Canada said the company has not yet been able to determine how many Canadians were affected. OPC Spokesperson Valerie Lawton said, "At this point in time, we have not opened a formal investigation," but she added, "We have asked Uber to provide us with a written breach report, in which we would expect them to provide details about how the breach happened and about the impact on Canadians." 

DPAs are also probing Uber's actions in the Asia-Pacific region. The National Privacy Commission of the Philippines officially asked the company "to shed more light" on the data breach. "By virtue of its operations and processing of Filipino end-user data, Uber is considered a Personal Information Controller and must comply with Philippine data privacy and protection laws," said NPC Commissioner Raymund Enriquez Liboro. 

In response to the multiple inquiries, Reuters reports Uber executives are traveling across the world to meet with regulators. The breach disclosure comes as Uber negotiates a deal with Japanese firm Softbank to invest as much as $10 billion into the company. 

Within hours of Uber's breach announcement last week, a class-action lawsuit was filed in Los Angeles by the Wilshire Law Firm. According to plaintiff's lawyer Jay Edelson, however, Uber may "not face crippling exposure in a data breach class action," Reuters reports. "The way that data breach class actions are framed right now," he said, "conduct doesn't matter terribly much." Uber has drivers and riders sign off on arbitration clauses when using the service. But Edelson also said that state and federal regulators could sue the company. "Class actions have failed in the data breach context," Edelson explained. "Uber may end up with more exposure on the government end." 

Details about how hackers were able to access the personal data are also emerging. Adversaries allegedly were able to gain access to a private GitHub coding website that was used by software engineers at Uber. The hackers took login credentials from the site to access the company's massive data store. The 2016 hack parallels the 2014 incident in which an adversary accessed a publicly posted key to Uber's Amazon S3 Datastore, where data was allegedly stored in plaintext. 

Photo credit: marcoverch Uber zahlt Hackern Schweigegeld - Millionen Kundendaten geklaut via photopin (license)