U.S. Sens. Orrin Hatch (R-Utah), John Thune (R-S.D.), Jerry Moran (R-Kan.) and Bill Cassidy (R-La.) today, in a letter to Uber Technologies Inc. CEO Dara Khosrowshahi, requested information related to recent reports of a data breach, which Uber failed to disclose promptly, involving the personal information of 57 million customers including names, email addresses, and mobile phone numbers.
Excerpt from the letter to Uber:
“The company maintains that its outside forensic experts have not seen any indication that customer trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded. Nevertheless, the nature of the information currently acknowledged to have been compromised, together with the allegation that the company concealed the breach without notifying affected drivers and consumers, and prior privacy concerns at Uber, makes this a serious incident that merits further scrutiny.”
In asking Uber to answer 11 questions about the breach and the company’s response, the letter notes that in January 2015 Uber released a report concluding the company had appropriate data security and incident response plans in place. News reports that Uber paid hackers $100,000 to delete compromised information raise concerns that the company may not have followed its own policies or adhered to the letter and spirit of an August 2017 consent order the company entered into with the Federal Trade Commission (FTC) to address its privacy and data security practices.Hatch serves as the chairman of the Committee on Finance and Cassidy as the chair of its Subcommittee on Social Security, Pensions, and Family Policy, which exercise jurisdiction over the protection of social security numbers and programs that are often targeted by identity thieves. Thune is also a member of the Finance Committee. Thune and Moran serve respectively as the chairs of the Senate Committee on Commerce, Science, and Transportation and the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, which exercise jurisdiction over consumer protection and cybersecurity issues.
The letter requests a response as soon as possible but no later than December 11, 2017.Click here for a copy of the full letter to Uber.