Editorial: Data breach proves Uber needs oversight

Uber paid two hackers a sum of $100,000 to delete the information they collected in a data breach which compromised more than 600,000 Uber accounts last October. (Photo via Wikimedia Commons)

If you took a ride with Uber before last year, your personal data may have passed into and out of the hands of hackers — and before two weeks ago, you wouldn’t have even known.

According to a Nov. 21 memo from Dara Khosrowshahi, Uber’s recently installed chief executive, the company fell victim to a hack last October that compromised the personal information of more than 600,000 Uber accounts — including 13,000 in Pennsylvania. Prior to last month’s disclosure, the data breach had been kept under wraps, with Uber paying the two hackers responsible a sum of $100,000 to delete the information and stay quiet about the incident.

Law enforcement in multiple states, including New York and Pennsylvania, have responded to Uber’s confession by launching investigations into the company’s practices. Here in Pennsylvania, state Attorney General Josh Shapiro requested specifics  last week about the stolen data to determine whether or not the company violated the Commonwealth’s Breach of Personal Information Notification Act by not informing Uber users about the breach.

But regardless of whether or not Uber broke this specific law in this specific instance, it’s long past time that the government holds big tech companies accountable for their actions. Shapiro said as much in a statement announcing the investigation, suggesting that the issue with Uber is systematic, not a fluke.

“These kinds of breaches will keep happening — and Americans and Pennsylvanians will keep seeing their personal and financial information compromised — until we force these companies to change the way they do business,” Shapiro said.

While Uber’s statement assured its customers that the data hackers stole amounted to only names, phone numbers and email addresses, a lack of accountability and reporting means that we really can’t be sure yet if that was the full extent of the breach. The same goes for whether we can trust that the hackers really did delete the data after receiving payment. And while Shapiro’s and others’ investigations will hopefully uncover the truth in this case, it won’t be enough in the long term.

High-tech giants like Uber, Amazon and Google continue to hold unconscionably unchecked power in the United States. In its search for a new headquarters, Amazon has shown just how much power tech corporations have over cities — including Pittsburgh — desperate to be chosen host. That power to more or less flout the law is unacceptable and Shapiro should look to use this case to cut down on it.

It’s a good sign that Khosrowshahi appears to have come forward with information about the hack voluntarily — he wasn’t CEO at the time of the breach — and appears willing to cooperate with law enforcement to address the issue. Still, it’s too risky to rely on tech chiefs to be so forthcoming regularly. Increased regulation is a must.

It’s up in the air exactly when we’ll see headlines about more data breaches like this again. But when it happens next, it’d be nice to get the information sooner than a year down the road.

Leave a comment.