Two House Democrats are accusing Uber of covering up a massive 2016 data breach from federal regulators while the company was negotiating a consent decree over a separate, earlier breach.
Reps. Jan Schakowsky (D-Ill.) and Ben Ray Luján (D-N.M.) on Monday wrote to the top members of a Senate panel that will hear testimony from John Flynn, Uber’s chief information security officer, on Tuesday.
They urged the senators to press Flynn on whether Uber misled the Federal Trade Commission (FTC) in the run-up to an August 2017 consent decree, which came months before the company disclosed the breach that exposed the personal information of 57 million people.
{mosads}
“Uber’s concealment of the facts as it negotiated with the FTC is extremely concerning,” Schakowsky and Luján wrote.
In November, Uber revealed that two hackers had stolen information like names, email addresses and phone numbers from 57 million users as well as names and driver’s license numbers from about 600,000 drivers.
The revelation came just months after Uber settled with the FTC over charges of deceptive claims and a smaller 2014 data breach.
“We are cooperating with the FTC and look forward to participating in today’s hearing on data security and bug bounty programs,” an Uber spokesman said in a statement to The Hill. “We remain committed to working with other members and staff to address further questions.”
Subsequent media reports later revealed that Uber had paid $100,000 to one of the hackers responsible for the 2016 breach in exchange for him destroying the stolen data. According to Reuters, the payment was made through a “bug bounty” program, which rewards cybersecurity researchers for identifying vulnerabilities in a company’s infrastructure.
Tuesday’s hearing before a Senate Commerce Committee subcommittee on consumer protection will examine that incident and bug bounty programs in general.
Schakowsky and Luján wrote that the timeline suggests a cover-up among Uber officials.
“It defies credulity that there was not at least some overlap between those aware of the 2016 breach and those responding to the FTC investigation of the 2014 breach,” they wrote in their letter Monday.